Argh! I'm getting frustrated...
What's the _right_<tm> way to set up an NFS environment so that:
1. The NFS server exports a directory allowing both sec=sys to some clients,
and sec=krb5:krb5i:krb5p to the "world".
2. Having the clients _default_ to sec=krb5 if a user with a kerberos ticket
logs in, but fall back to sec=sys otherwise. It should be default stay away
from sec=krb5i or sec=krb5p. Using the automounter preferable.
3. Support OpenSolaris, Solaris 10, Solaris 9, Linux and MacOS X clients...
I enable krb5/krb5i/krb5p in /etc/nfssec.conf and then export a directory like
this:
zfs set sharenfs=sec=krb5:krb5i:krb5p,rw,sec=sys,rw=somehosts export/data
Can I somehow tell the automounter to try krb5 and fall back to sys if it fails?
I read somewhere that NFSv4 and NFSv3 resolves which security flavour to use
differently - is that right? (I think it was NFSv3 that chooses the "first
match" from the
exported list by the server, but NFSv4 chooses the "most secure" one).
Other suggestions?
This message posted from opensolaris.org
