[nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?

Next message: Lisa Week: "Re: [nfsv4] NFSv4 ACLs: {READ,WRITE}_NAMED_ATTRIBUTES"
Previous message: Sam Falkner: "Re: [nfsv4] NFSv4 ACLs: {READ,WRITE}_NAMED_ATTRIBUTES"
Next in thread: Mike Eisler: "RE: [nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?"
Maybe reply: Mike Eisler: "RE: [nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?"

thomas@netapp.com

From: "Haynes, Tom" <thomas@netapp.com>
Message-Id: <200412162223.iBGMNnd26907@orbit-fe.eng.netapp.com>
Date: Thu, 16 Dec 2004 14:23:48 -0800 (PST)
Subject: [nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?

DESCRIPTION

   The SECINFO operation is used by the client to obtain a list of valid
   RPC authentication flavors for a specific directory filehandle, file
   name pair.  SECINFO should apply the same access methodology used for
   LOOKUP when evaluating the name.  Therefore, if the requester does
   not have the appropriate access to LOOKUP the name then SECINFO must
   behave the same way and return NFS4ERR_ACCESS.

If a client sends a SECINFO request for a file handle and the underlying
security flavor for the request does not meet the exported flavors,
then the only option is to return NFS4ERR_ACCESS instead of 
NFS4ERR_WRONGSEC.

But, this is incomplete information.  The issue wasn't that the client
could not get access, just that we could not determine it with the
current flavor.  Or do client implementations, when they get NFS4ERR_ACCESS
on SECINFO, then start trying other underlying security flavors?

A forgiving server could say, ahh, what the hey, here is the SECINFO.
But, I take *must* as saying the server can not be forgiving.

-- 
Tom Haynes, ex-cfb
thomas@netapp.com

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4