On Thu, 23 Apr 2009 07:46:06 +0200, Frank Batschulat (Home) <Frank.Batschulat at sun.com> wrote:
> On Thu, 23 Apr 2009 07:34:45 +0200, Tom Haynes <Thomas.Haynes at sun.com> > wrote: > >> The credentials problem is a known bug. >> >> I just can't find the bug number right now. >> >> I *think* if you say: >> >> mount -o sec=sys ...... >> >> it will start working as expected. >> >> There was a recent change to add server support for sec=none and the Linux >> client hands it out first if no security flavor is supplied. >> >> So, if you supply your flavor, you should not see the issue. > > yes, in build 108 we integrated real kernel RPC support for AUTH_NONE, > previously it was silently matched and handled as AUTH_SYS > > 6790413 AUTH_NONE implementation in kernel RPC > http://bugs.opensolaris.org/view_bug.do?bug_id=6790413 > > it appears that the linux server as default has sec=none before sec=sys in > the share so > we'd start using real AUTH_NONE support for the mount and future access > causing following problems > > 6828396 snv_111 sends wrong uid/gid to Linux NFSv3 server > http://bugs.opensolaris.org/view_bug.do?bug_id=6828396 > > since AUTH_NONE is the first security flavour our client gets from the Linux > server > during mount, our client will then use AUTH_NONE for future access of course > and will fail as described in 6828396 > > using sec=sys as either the first flavour or leave out sec=none completely > brings us back to AUTH_SYS. > > sample snoop to illustrate the problem: > > 5 0.00156 solaris-client -> linux-server MOUNT3 C Mount /v3-server-test > 6 0.00859 linux-server -> solaris-client MOUNT3 R Mount OK FH=5F67 > Auth=none,unix,390003,390004,390005 has also been discussed here: http://www.opensolaris.org/jive/thread.jspa?threadID=99671&tstart=60 current workarounds: 1) on the linux server side, remove the sec=none from the share or 2) on the linux server side, explicitely share with sec=sys or 3) on the solaris client side, comment out the 'none' entry from the list of supported security flavours in /etc/nfssec.conf or 4) on the solaris client side, explicitely perform the mount with a security flavour specified other then sec=none --- frankB
