Robert Gordon wrote: >> it seems to me that both the local zone and the global zone >> should be able to export it (or not export it) independantly. >> >> ed > > There maybe a conflicting security requirement here. Lets say > I'm SA of the zone and i have exported /export/foo with krb5i > (since my foo really needs tight security :) ) to a limited > set of clients. Then along comes Mr Global SA and exports it > with auth_sys to any old nfs client.. > > seems like that might be an issue ?
Exactly why this should not be allowed. Only a single NFS server should ever be exporting a given local file system. Even it it isn't krb5 vs sys it could be two different krb5 realms and different NFSMAPID_DOMAINS. It can be either the global or local zone but not both at the same time. If a zone has been delegated the ability to be an NFS server (which IMO should NOT be the default - just like today with IP stack instances) then the global zone must not be able to share out the zones filesystems. -- Darren J Moffat
