nfsd spam in /var/log/messages

Rick Macklem rmacklem at uoguelph.ca
Mon Jul 28 22:47:34 UTC 2014 

Russell L. Carter wrote:
> 
> 
> On 07/28/14 05:55, Rick Macklem wrote:
> 
> > Assuming /export is one file system on the server, put all
> > the exports in a single entry, something like:
> > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0
> > /export/usr/src /export/usr/obj /export/usr/ports /export/packages
> > /export/library -maproot=root
> > 
> > OR you can just allow the clients to mount any location
> >    within the server file system using -alldirs like:
> > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0
> > /export -alldirs -maproot=root
> > 
> > At least I think I got this correct;-) rick
> 
> Then it would seem that that it is not possible to do per-host
> filesystem access control from a single server.  Is that true?
> 
Yes, you can. Each line must be unique w.r.t. the tuple of
<host, server-filesystem>.

When there are multiple directories within a file system that
needs to be mounted by a given host (or subnet), those must be
specified in a single entry.

> The larger project I am working on intermittently is to see if I can
> work out a way to secure NFSv4 so that the net transport is encrypted
> (via ssh|spiped tunnel, perhaps) and the server has per host (per
> user
> would be better) filesystem access control, WITHOUT kerberos.  Maybe
> ACLs?  I have looked into ACLs but they don't look very promising for
> multiple platform support.
> 
On my "someday" list is trying to figure out how to allow a mount to
work over IPsec, but I've never done it (and don't actually know if it
is currently possible, although I suspect the answer is no).

ACLs allow finer grained access control to a file, but still use whatever
authentication is being used (auth_sys is just a uid# and list of gid#s
vs Kerberos, which authenticates a kerberos principal).

rick

> Thanks,
> Russell
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
> "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list