On Tue, Oct 13, 2009 at 05:23:16PM +0100, Darren J Moffat wrote: > Nicolas Williams wrote: > >On Tue, Oct 13, 2009 at 09:26:16AM +0100, Darren J Moffat wrote: > >>>Specifically it may cause non-deterministic behavior. Sorting the group > >>>list will cause deterministic behavior, but that is probably worse. > >>>Ideally we could just wave our hands and make AUTH_SYS go away. But we > >>>can't. What we can do though is this: the NFS server could look up the > >>>group memberships of the UID asserted by an AUTH_SYS client. > >>That would actually help in a few edge case configs even when the group > >>list is less than 16. Having AUTH_SYS just ignore the supplementary > >>groups all together and collect them itself would be useful - but likely > >>a performance impact since now we need a nameservice lookup. > > > >There'd be a cache, to avoid having to do these lookups too frequently, > >and we already do them for secure NFS anyways. > > Of course, but my concern was making AUTH_SYS (the default) slower in > the default case.
If the client asserts fewer 16 supplementary groups, then the server could skip that lookup. But yes, there'd be cases where the initial AUTH_SYS use would be slower. This feature could be optional, and default to off if that perf issue really matters.
