fs/nfs/client.c | 14 ++++++++++- fs/nfs/super.c | 64 +++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 65 insertions(+), 13 deletions(-)
Linux NFS3 kernel client currently has broken support for NFS3 AUTH_NULL-only exports and also broken mount option -o sec=none (which explicitly specifies that mount should use AUTH_NULL). For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such export with AUTH_UNIX authentication which results in unusable mount point (any operation on it fails with error because server rejects AUTH_UNIX authentication). Half of the problem is with MNTv3 servers, as some of them (e.g. Linux one) never announce AUTH_NULL authentication for any export. Linux MNTv3 server does not announce it even when the export has the only AUTH_NULL auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX. Main problem on the client side is that mount option -o sec=none for NFS3 client is not processed and Linux NFS kernel client always skips AUTH_NULL (even when server announce it, and also even when user specifies -o sec=none on mount command line). This patch series address these issues in NFS3 client code. Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL, by trying AUTH_NULL authentication as an absolutely last chance when everything else fails. And honors user choice of AUTH_NULL if user explicitly specified -o sec=none as mount option. AUTH_NULL authentication is useful for read-only exports, including public exports. As authentication for these types of exports do not have to be required. Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux MNTv3 userspace server. And also tested with exports from modified MNTv3 server to properly return AUTH_NULL support in response list. Patch series is based on the latest upstream tag v6.11-rc7. Pali Rohár (5): nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 server nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given nfs: Fix -o sec=none output in /proc/mounts nfs: Remove duplicate debug message 'using auth flavor' fs/nfs/client.c | 14 ++++++++++- fs/nfs/super.c | 64 +++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 65 insertions(+), 13 deletions(-) -- 2.20.1
On Thursday 12 September 2024 15:02:15 Pali Rohár wrote: > Linux NFS3 kernel client currently has broken support for NFS3 > AUTH_NULL-only exports and also broken mount option -o sec=none > (which explicitly specifies that mount should use AUTH_NULL). > > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such > export with AUTH_UNIX authentication which results in unusable mount > point (any operation on it fails with error because server rejects > AUTH_UNIX authentication). > > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux > one) never announce AUTH_NULL authentication for any export. Linux MNTv3 > server does not announce it even when the export has the only AUTH_NULL > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX. > > Main problem on the client side is that mount option -o sec=none for > NFS3 client is not processed and Linux NFS kernel client always skips > AUTH_NULL (even when server announce it, and also even when user > specifies -o sec=none on mount command line). > > This patch series address these issues in NFS3 client code. > > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL, > by trying AUTH_NULL authentication as an absolutely last chance when > everything else fails. And honors user choice of AUTH_NULL if user > explicitly specified -o sec=none as mount option. > > AUTH_NULL authentication is useful for read-only exports, including > public exports. As authentication for these types of exports do not have > to be required. > > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux > MNTv3 userspace server. And also tested with exports from modified MNTv3 > server to properly return AUTH_NULL support in response list. > > Patch series is based on the latest upstream tag v6.11-rc7. > > Pali Rohár (5): > nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 > server > nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures > nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given > nfs: Fix -o sec=none output in /proc/mounts > nfs: Remove duplicate debug message 'using auth flavor' > > fs/nfs/client.c | 14 ++++++++++- > fs/nfs/super.c | 64 +++++++++++++++++++++++++++++++++++++++---------- > 2 files changed, 65 insertions(+), 13 deletions(-) > > -- > 2.20.1 > Hello, month ago I have sent these fixes for NFS3 client AUTH_NULL support. Are there any issues with them?
On Saturday 05 October 2024 17:15:02 Pali Rohár wrote: > On Thursday 12 September 2024 15:02:15 Pali Rohár wrote: > > Linux NFS3 kernel client currently has broken support for NFS3 > > AUTH_NULL-only exports and also broken mount option -o sec=none > > (which explicitly specifies that mount should use AUTH_NULL). > > > > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such > > export with AUTH_UNIX authentication which results in unusable mount > > point (any operation on it fails with error because server rejects > > AUTH_UNIX authentication). > > > > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux > > one) never announce AUTH_NULL authentication for any export. Linux MNTv3 > > server does not announce it even when the export has the only AUTH_NULL > > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX > > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server > > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use > > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX. > > > > Main problem on the client side is that mount option -o sec=none for > > NFS3 client is not processed and Linux NFS kernel client always skips > > AUTH_NULL (even when server announce it, and also even when user > > specifies -o sec=none on mount command line). > > > > This patch series address these issues in NFS3 client code. > > > > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL, > > by trying AUTH_NULL authentication as an absolutely last chance when > > everything else fails. And honors user choice of AUTH_NULL if user > > explicitly specified -o sec=none as mount option. > > > > AUTH_NULL authentication is useful for read-only exports, including > > public exports. As authentication for these types of exports do not have > > to be required. > > > > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined > > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux > > MNTv3 userspace server. And also tested with exports from modified MNTv3 > > server to properly return AUTH_NULL support in response list. > > > > Patch series is based on the latest upstream tag v6.11-rc7. > > > > Pali Rohár (5): > > nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 > > server > > nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures > > nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given > > nfs: Fix -o sec=none output in /proc/mounts > > nfs: Remove duplicate debug message 'using auth flavor' > > > > fs/nfs/client.c | 14 ++++++++++- > > fs/nfs/super.c | 64 +++++++++++++++++++++++++++++++++++++++---------- > > 2 files changed, 65 insertions(+), 13 deletions(-) > > > > -- > > 2.20.1 > > > > Hello, month ago I have sent these fixes for NFS3 client AUTH_NULL > support. Are there any issues with them? Hello, as there are not any objections, could you prepare these fixes for -next tree?
Hi Pali, On 9/12/24 9:02 AM, Pali Rohár wrote: > Linux NFS3 kernel client currently has broken support for NFS3 > AUTH_NULL-only exports and also broken mount option -o sec=none > (which explicitly specifies that mount should use AUTH_NULL). > > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such > export with AUTH_UNIX authentication which results in unusable mount > point (any operation on it fails with error because server rejects > AUTH_UNIX authentication). > > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux > one) never announce AUTH_NULL authentication for any export. Linux MNTv3 > server does not announce it even when the export has the only AUTH_NULL > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX. > > Main problem on the client side is that mount option -o sec=none for > NFS3 client is not processed and Linux NFS kernel client always skips > AUTH_NULL (even when server announce it, and also even when user > specifies -o sec=none on mount command line). > > This patch series address these issues in NFS3 client code. > > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL, > by trying AUTH_NULL authentication as an absolutely last chance when > everything else fails. And honors user choice of AUTH_NULL if user > explicitly specified -o sec=none as mount option. Why fix this on the client instead of fixing the server to announce AUTH_NULL if this is what the user has configured? Anna > > AUTH_NULL authentication is useful for read-only exports, including > public exports. As authentication for these types of exports do not have > to be required. > > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux > MNTv3 userspace server. And also tested with exports from modified MNTv3 > server to properly return AUTH_NULL support in response list. > > Patch series is based on the latest upstream tag v6.11-rc7. > > Pali Rohár (5): > nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 > server > nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures > nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given > nfs: Fix -o sec=none output in /proc/mounts > nfs: Remove duplicate debug message 'using auth flavor' > > fs/nfs/client.c | 14 ++++++++++- > fs/nfs/super.c | 64 +++++++++++++++++++++++++++++++++++++++---------- > 2 files changed, 65 insertions(+), 13 deletions(-) >
On Thursday 12 September 2024 17:06:07 Anna Schumaker wrote: > Hi Pali, > > On 9/12/24 9:02 AM, Pali Rohár wrote: > > Linux NFS3 kernel client currently has broken support for NFS3 > > AUTH_NULL-only exports and also broken mount option -o sec=none > > (which explicitly specifies that mount should use AUTH_NULL). > > > > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such > > export with AUTH_UNIX authentication which results in unusable mount > > point (any operation on it fails with error because server rejects > > AUTH_UNIX authentication). > > > > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux > > one) never announce AUTH_NULL authentication for any export. Linux MNTv3 > > server does not announce it even when the export has the only AUTH_NULL > > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX > > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server > > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use > > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX. > > > > Main problem on the client side is that mount option -o sec=none for > > NFS3 client is not processed and Linux NFS kernel client always skips > > AUTH_NULL (even when server announce it, and also even when user > > specifies -o sec=none on mount command line). > > > > This patch series address these issues in NFS3 client code. > > > > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL, > > by trying AUTH_NULL authentication as an absolutely last chance when > > everything else fails. And honors user choice of AUTH_NULL if user > > explicitly specified -o sec=none as mount option. > > Why fix this on the client instead of fixing the server to announce AUTH_NULL > if this is what the user has configured? This can be a next step. Without this client workaround it is not possible to connect with Linux client to existing/running servers. > Anna > > > > > AUTH_NULL authentication is useful for read-only exports, including > > public exports. As authentication for these types of exports do not have > > to be required. > > > > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined > > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux > > MNTv3 userspace server. And also tested with exports from modified MNTv3 > > server to properly return AUTH_NULL support in response list. > > > > Patch series is based on the latest upstream tag v6.11-rc7. > > > > Pali Rohár (5): > > nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 > > server > > nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures > > nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given > > nfs: Fix -o sec=none output in /proc/mounts > > nfs: Remove duplicate debug message 'using auth flavor' > > > > fs/nfs/client.c | 14 ++++++++++- > > fs/nfs/super.c | 64 +++++++++++++++++++++++++++++++++++++++---------- > > 2 files changed, 65 insertions(+), 13 deletions(-) > >
© 2016 - 2024 Red Hat, Inc.