Bug 1327194

Summary: remove sec=sys from the "kerberized" export
Product: Red Hat Enterprise Linux 6 Reporter: ben haubeck <bhaubeck>
Component: doc-Identity_Management_GuideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.7CC: mmuehlfe, rhel-docs
Target Milestone: rcKeywords: Documentation, EasyFix
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 07:08:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description ben haubeck 2016-04-14 12:22:55 UTC 
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html

Section Number and Name: 
Chapter 18.3.1 Step 8 "Edit the /etc/exports file and add the Kerberos information:"

Describe the issue: 
in our documentation it describe how to export the export with sec=sys AND with sec=krb5[i|p], so it offers this for copy and paste:

/export  *(rw,sec=sys:krb5:krb5i:krb5p)

From my point of view this is but, because it is not adding any security to your environment as any not-so-kind-user, that is not voluntarily using kerberos, can mount the share with sec=sys and as we put the star in front, nearly everyone can mount the share. 
I agree, that this will not be done by the automounting IPA-clients that are configured according to our further documentation, but as I said: this leaves the door really wide open, AND there is no need for it.

Suggestions for improvement: 
change it to:

/export  *(rw,sec=krb5:krb5i:krb5p)

Additional information:
Comment 3 Marc Muehlfeld 2016-04-20 13:30:04 UTC 
I fixed the example.