Kerberized NFSv3 incorrect behavior

Rick Macklem rmacklem at
Sun Feb 7 22:22:58 UTC 2010

On Sat, 6 Feb 2010, George Mamalakis wrote:

> thank you for all your answers. I am planning on setting up the computer labs 
> of my department using kerberized nfsv3 (since v4 seems to be "more" 
> experimental) with a FreeBSD nfs server and Linux nfs clients. I was 
> wondering "how stable" such an implementation would be; meaning that I 
> wouldn't want to end up with an unstsable setup when receiving requests from 
> 50-60 simultaneous clients, because that would be my everyday scenario.

I believe that the above should be stable, but your mileage may vary, as
they say. The main issue will be what your TGT lifetime will be, since
client access to the server will normally stop when the TGT expires. Some
systems (Mac OS X) will automagically renew the TGT before it expires,
if your KDC allows that. I don't think most/all Linux systems do this
by default, but there are some utilities out there (try a search for 
krenew) that will do so.

Basically, I think you'll want to avoid TGTs expiring before the user
logs out. You also need a unique uid<->user principal mapping for all
users logging in.

You definitely want to do some testing with whatever Linux system you
are using for the client.

Good luck with it, rick
ps: Choosing nfsv3 vs nfsv4 is basically independent of using RPCSEC_GSS
     except for the host based initiator credential needed by some clients
     (Linux and Solaris10 are among those) for NFSv4.

More information about the freebsd-stable mailing list