[KLUG Members] NFS and time travel

Robert G. Brown members@kalamazoolinux.org
Sun, 28 Dec 2003 19:17:09 -0500 

On Sun, 28 Dec 2003 17:41:16 -0500, Adam Williams <awilliam@whitemice.org>wrote:

>>>>>The results are no different if I use IP addresses now.
>>>>Try IP's anyway, if you haven't.  
>>>I have, whch is why I wrote what I did. I'm reporting, not speculating.
>>And I'm making absolutely sure.   :-)
>>I guess the next thing I'd try is trial & error with different options
>>(on mount and in exports).
>>And, since this is for your internal network, why are you specifying
>>hostnames or IP's at all?  Why not export them to the world?  (try it!)
>I've seen this work.  When trying to mount a Linux2.2 NFS volume on an
>AIX box it only worked if it was shared to "*(rw,insecure)".  Forgot
>about that one.  Ugly ugly and I never had a flippin' clue why.

This seems like something buried DEEP in the code somewhere. I recall a
number of add-ons to IBM mainframes (hard, software, or both) that simply
didn't deal with security-related stuff in the host file system, or munged
so badly (in some cases, ports from other systems with different word lengths
or APIs) that you had to turn off any of that checking (which is what some-
thing like "insecure probably does) to get the thing to work at all.

>>At least I hope this is only for your internal network only.  
>>You should know that NFS stands for:  "No File Security".   ;-)
>NFSv4 mandates support for GSSAPI (Kerberos V) for RPC calls. 
>Hallelujah!  NFSv4 is in 2.6.x I think but I haven't checked.  All
>network file operations encrypted and authorized,  now thats gonna be
>nice.
Cool! Sounds like those NFS people want to be taken seriously again.
NFS over wireless, and you get the crypto for free... hmmm....

>Also NFSv4 does away with the gid/uidNumber matching agony.  Usernames
>and groups are processed as strings and gid/uidNumber hashing can be
>processed locally.  So much nicer.
That is nice; there are still reasons to preserve these relations accros
the LAN; I would imagine directory services can also be used to ensure 
this to a very great degree.

>>Could be.  It's been too long to remember.  I got in the habit of using
>>IP's a LONG time ago.
>Or at least only hostnames defined in /etc/hosts.
I'll let ya know if this disctinction matters.
							Regards,
							--->RGB <---