Overland Storage SnapServer Administrator's Manual page 146

SnapServer 7.0 Administrator's Guide
Entry Code
no_root_squash
async
no_all_squash
Configuring Export Strings for NFSv4 with Kerberos Security. Share access for NFSv4
clients can be enforced either by the traditional NFS host method (described in
SnapServer Exports File Default Options" on page
If Kerberos is enabled, access is applied uniformly to all Kerberos-authenticated NFSv4
clients connected using the matching Kerberos option. Host-based access as described in
The SnapServer Exports File Default Options still applies to NFSv2 and v3 clients when
Kerberos is enabled, but it does not apply to NFSv4 clients.
When Unix Kerberos security is enabled for NFSv4, the following entries are automatically
added to the NFS Access settings for each NFS-enabled share:
gss/krb5(rw,insecure,async,root_squash,no_all_squash)
gss/krb5i(rw,insecure,async,root_squash,no_all_squash)
gss/krb5p(rw,insecure,async,root_squash,no_all_squash)
These give read-write access to Kerberos-authenticated NFSv4 users connecting via:
• Standard Kerberos (
• Kerberos with data integrity checksumming (
• Kerberos with protection/encryption (
These entries can be independently removed, added, and modified on each NFS-enabled
share.
Using the Add Host Controls. Follow these steps:
1. Select one of the following options:
• SnapServer Default Options – Inserts the default options as described above
• Read Only – Inserts the read only option only
• Both – Inserts default options, but substitutes read only for read/write
2. Do one of the following in the NFS host text box:
• To apply the options to all NFS hosts – Leave this field blank
• To apply the options to specific hosts – Enter one or more IP addresses.
3. Click Add Host.
10400317-001 10/2011
Meaning
no_root_squash means that if root is logged in on your second
machine, it will have root privileges over the exported filesystem. By
default, any file request made by user root on the client machine is
treated as if it is made by user nobody on the server. (Exactly which
UID the request is mapped to depends on the UID of user nobody on
the server, not the client.) If no_root_squash is selected, then root on
the client machine will have the same level of access to the files on
the system as root on the server. This can have serious security
implications, although it may be necessary if you want to perform any
administrative work on the client machine that involves the exported
directories. You should not specify this option without a good reason.
Tells a client machine that a file write is complete – that is, has been
written to stable storage – when NFS has finished handing the write
over to the filesystem.
Allows non-root users to access the nfs export with their own
privileges.
)
gss/krb5
gss/krb5p
©2010-11 Overland Storage, Inc.
7 – Security Options
7-17) or via Kerberos.
)
gss/krb5i
).
"The
7-18