X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fexportfs%2Fexports.man;h=ea28ca883ba9ef28c5f5a2e4eeaec59e20d802fd;hp=41a5b16af64a1cd720e6ebaab79cfb88da756908;hb=e4719f90f77de2ea2c083cbc304b5cc7a7b516bd;hpb=c40336aa88c7a914227cc751118e165e985c2b78

diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 41a5b16..ea28ca8 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -34,6 +34,8 @@ double quotes. You can also specify spaces or other unusual character in
 the export name using a backslash followed by the character code as three
 octal digits.
 .PP
+To apply changes to this file, run exportfs \-ra or restart the NFS server.
+.PP
 .SS Machine Name Formats
 NFS clients may be specified in a number of ways:
 .IP "single host
@@ -84,9 +86,24 @@ may work by accident when reverse DNS lookups fail.
 '''option. Multiple specifications of a public root will be ignored.
 .PP
 .SS RPCSEC_GSS security
-To restrict access to an export using rpcsec_gss security, use the special
-string "gss/krb5" as the client.  It is not possible to simultaneously require
-rpcsec_gss and to make requirements on the IP address of the client.
+You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
+to restrict access to clients using rpcsec_gss security.  However, this
+syntax is deprecated; on linux kernels since 2.6.23, you should instead
+use the "sec=" export option:
+.TP
+.IR sec=
+The sec= option, followed by a colon-delimited list of security flavors,
+restricts the export to clients using those flavors.  Available security
+flavors include sys (the default--no cryptographic security), krb5
+(authentication only), krb5i (integrity protection), and krb5p (privacy
+protection).  For the purposes of security flavor negotiation, order
+counts: preferred flavors should be listed first.  The order of the sec=
+option with respect to the other options does not matter, unless you
+want some options to be enforced differently depending on flavor.
+In that case you may include multiple sec= options, and following options
+will be enforced only for access using flavors listed in the immediately
+preceding sec= option.  The only options that are permitted to vary in
+this way are ro, rw, no_root_squash, root_squash, and all_squash.
 .PP
 .SS General Options
 .IR exportfs
@@ -122,7 +139,7 @@ storage (see
 above).
 
 In releases of nfs-utils up to and including 1.0.0, this option was the
-default.  In all subsequence releases,
+default.  In all releases after 1.0.0,
 .I sync
 is the default, and
 .I async
@@ -439,7 +456,7 @@ is supposedly that of user joe).
 /projects       proj*.local.domain(rw)
 /usr            *.local.domain(ro) @trusted(rw)
 /home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
-/pub            (ro,insecure,all_squash)
+/pub            *(ro,insecure,all_squash)
 /srv/www        \-sync,rw server @trusted @external(ro)
 '''/pub/private    (noaccess)
 .fi