|
Description
|
Date: August 23, 2005 4:37:15 PM PDT
Subject: [nfs-discuss] About that NFS client privileged port change
The trying the weak port, and then getting AUTH_TOOWEAK seems
fraught with danger.
For one thing how do we know all NFS servers will return the right
error? What if they return an NFS level error (e.g. _ACCESS)?
I suggest at least having a tri-state on the tunable. { ALWAYS_PRIV,
ALWAYS_WEAK, TRY_WEAK }. You might also have TRY_PRIV to deal with
the inevitable case where there are no privileged ports left, so quad-state.
This message posted from opensolaris.org
Setting the preference should be placed in /etc/default/nfs; CLNT_CONTROL() can be used to set the preference.
In confirmation of Mike Eisler's warnings, we've just run into a scenario with Linux where the Linux server indeed does not return AUTH_TOOWEAK, it actually returns NFSERR_PERM instead.This causes the solaris client to be unable to mount the Linux server unless when you set the export you specify the "insecure" option. Another workaround for this problem for now is on the client do:
#echo "clnt_cots_do_bindresvport/W 1"|mdb -kw
which basically makes the client always try with reserved ports by default.
In addition to this we need to address the issue of existing
connection selection. By that i mean we need to consider if
an existing connection to the server matches the exact
characteristics of the desired connection. The current code base
will not establish a new connection if clnt_cots_bindresvport
is altered 'on the fly'.
|
