Frank Batschulat (Home) wrote:
> On Thu, 23 Apr 2009 14:52:51 +0200, Andrew Gallatin <gallatin at cs.duke.edu>
> wrote:
>
>> Frank Batschulat (Home) wrote:
>>
>>> yes, in build 108 we integrated real kernel RPC support for AUTH_NONE,
>>> previously it was silently matched and handled as AUTH_SYS
>>>
>>> 6790413 AUTH_NONE implementation in kernel RPC
>>> http://bugs.opensolaris.org/view_bug.do?bug_id=6790413
>>>
>>> it appears that the linux server as default has sec=none before sec=sys in
>>> the share so
>>> we'd start using real AUTH_NONE support for the mount and future access
>>> causing following problems
>>>
>>> 6828396 snv_111 sends wrong uid/gid to Linux NFSv3 server
>>> http://bugs.opensolaris.org/view_bug.do?bug_id=6828396
>>>
>>> since AUTH_NONE is the first security flavour our client gets from the
>>> Linux server
>>> during mount, our client will then use AUTH_NONE for future access of course
>>> and will fail as described in 6828396
>> There was a comment somewhere (which I can no longer find) that the
>> Solaris policy of choosing the *first* common security flavor may be
>> incorrect, and that Solaris should be choosing the *strongest*
>> common security flavor. If Solaris did this, it would certainly
>
> thats exactly what we've already started to discuss now ;-)
>
>> reduce interoperability problems with Linux NFS servers, since
>> sec=sys would be chosen in this case. Eg, things would continue
>> to work, rather than break, when people upgrade to more recent
>> versions of OpenSolaris.
>
> though I'd be really interested to know more about how it comes that a share
> by
> default is done with AUTH_NONE included, any backround infos somewhere
> available ?
>
> the Solaris server, by default, shares with sec=AUTH_SYS
ENOCLUE. My Linux server's exports list looks like:
/home
172.31.193.0/255.255.255.0(rw,async,no_subtree_check,insecure,no_root_squash)
This is Ubuntu 8.04 ("hardy") update 2:
% cat /etc/issue
Ubuntu 8.04.2 \n \l
% uname -a
Linux thunder 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009
x86_64 GNU/Linux
I certainly never intended to export anything with sec=none.
Drew
