Coda File System

Re: Advice wanted on nfs-mounting coda volumes

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Sat, 24 Jul 1999 14:17:40 -0400
On Sat, Jul 24, 1999 at 02:30:39PM +0100, Nix wrote:
> Yes, this subject is seriously meant :)
> 
> I would like to install coda on this site (and have a test installation
> running OK) and I'd like to move some stuff that other people can see
> over to coda.
> 
> Problem: a couple of machines don't have remotely enough physical memory 
> to run the client (8Mb max, and they've got to run other things in there 
> too). So I thought of NFS-exporting /coda from one of the coda boxes to
> the small boxes.
> 
> Nice idea, but unfortunately the Linux nfsd does, er, evil tricks, like
> using setfsuid() to transform itself into other users, and so forth.

Hi,

That is not a problem, because Coda already uses the fsuid to determine
which user is accessing the filesystem. We needed that for exporting
/coda with, for instance, Samba.

> Effectively, the nfsd will need the ability to become any user at any
> time, and will need to hold all tokens :( or so it seems to me.

A nfs-client user needs some way of obtaining a token for his uid on the
nfs-server/coda-client. They are kept around by the coda-client. So the
nfs daemon doesn't need to know about it.

> Am I missing something? Is there a way to do this? Is anyone doing it?

I did it with the userspace nfsd, the only funny thing was that at first
it didn't want to export any network-filesystem. However if you add the
--re-export flag to nfsd it will be able to export filesystems like /coda.

> (If not it probably means `no coda here', which is a bit of a bugger,
> because it looks superb, if you ignore the blasted separate-from-Unix
> authentication system...)

Well, the authentication system currently isn't even separated enough to
allow for sharing volumes between administrative cells. For that we need
to add at least uid mappings, and a way of validating authentication
tokens that have been generated in a different domain.

The Unix authentication system really only works well on a single
machine, or a tightly controlled network. But as soon as you scale up
to a distributed network with multiple administrative authorities is
doesn't work that well anymore.

Jan
Received on 1999-07-24 14:18:15