Excellent point! I think this is a good example of why the same
physical path can't be shared from a zone and the global zone at the
same time. Perhaps excluding any zonepaths from being shared at the
global zone is desirable if the nfs switch for that zone is turned on?

Do you think that such a switch should be per-zone or per-device/share?


There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA and exports it
with auth_sys to any old nfs client..

seems like that might be an issue ?

