Kyle McDonald wrote: > Functionally what's the difference between allowing root nfs access with > root=*, and allowing it with anon=0? > > I have a JumpStart filesystem that was shared through /etc/dfs/dfstab > with '-o sec=sys,ro,anon=0'. On this file system there are files that > are owned by root and mode 600. During jumpstart these files can be > copied fine. > > WHen I was converting to use sharemgr, at first I missed the fact that > it has an 'anon=0' option, and decided to used 'root=*' instead. For > some reason this broke things, those same files couldn't be copied. > > Switching back to 'anon=0' fixed things again. > > Why? > > The onnly difference I can see is that root= allows a list of hosts, but > when used with an * it should work the same as anon=0 right? > >
You can't use root with a '*'. The real difference is that anon does not have to mean a root mapping and what happens if you mix the two. If you look at the share_nfs(1M) man page, only hosts in the root access list have root permissions. If a host is not in that list (which is empty by default), then root access from that host is mapped to the anonymous user ID. So, a dirty way to give all hosts root access is to say anon=0. But the anonymous id is also used when the security flavor is none. Say there is a share: /tomper sec=krb5,rw,sec=none,rw,anon=55 This states that if your security flavor is krb5, then you have your uid. If your flavor is anything else, then you get mapped to uid 55. So if you come in with AUTH_SYS, you and everyone else will have that UID. And then file permissions apply to whether you have access or not. If you only have: /tomper sec=krb5,rw,anon=55 Then it means that the only security flavor allowed in is krb5 and if you are root, your uid will be 55. Some more: /tomper sec=krb5:krb5i:krb5p,rw,ro...@10.0.0.0,anon=55 States that all kerberized access is allowed, hosts from the 10.0.0.0/8 subnet have root access, and hosts from outside that subnet have their root access mapped to uid 55. This should give you a start at understanding the interactions. > What am I missing? > > -Kyle > > > _______________________________________________ > nfs-discuss mailing list > nfs-discuss at opensolaris.org >
