On Tue, Aug 05, 2008 at 09:56:01AM -0500, Paul Fisher wrote: > Just out of curiosity, is there a reason that RPC wasn't updated to > match the upper-level semantics with similar mechanics? It basically > shatters the wonderful illusion setup by NFSv4.
Yes, there is: AUTH_SYS provides no security, and AUTH_SYS_NAMES (say) wouldn't either. But RPCSEC_GSS authentication mechanisms do. If you really need AUTH_SYS, then make sure that you share a UID/GID namespace across your servers and clients. Now, I think there's something to be said for the simplicity of AUTH_SYS in environments where one does not care about security. So perhaps we should have pursued an AUTH_SYS_NAMES anyways. But, a couple of observations: - if your environment is small enough, just sync your /etc/passwd and group files - otherwise deploy a distributed name service - either way AUTH_SYS will work fine for you then; - this could be an opportunity to learn Kerberos V. We have tools to make Kerberos deployment easy, you know: kdcmgr(1M) and kclient(1M). Nico --
