nfsserver: Fix handling of SP4_NONE

For NFSv4.1/4.2, when the client specifies SP4_NONE for
state protection in the ExchangeID operation arguments,
the server MUST allow the state management operations for
any user credentials.  (I misread the RFC and thought that
SP4_NONE meant "at the server's discression" and not MUST
be allowed.)

This means that the "sec=XXX" field of the "V4:" exports(5)
line only applies to NFSv4.0.

This patch fixes the server to always allow state management
operations for SP4_NONE, which is the only state management
option currently supported. (I have patches that add support
for SP4_MACH_CRED to the server. These will be in a future commit.)

In practice, this bug does not seem to have caused
interoperability problems.

MFC after:	2 weeks

sys/fs/nfsserver/nfs_nfsdstate.c

@@ -5867,12 +5867,17 @@ nfsrv_throwawayopens(NFSPROC_T *p)
 
 /*
  * This function checks to see if the credentials are the same.
- * Returns 1 for not same, 0 otherwise.
+ * The check for same credentials is needed for state management operations
+ * for NFSv4.0 where 1 is returned if not same, 0 is returned otherwise.
  */
 static int
 nfsrv_notsamecredname(struct nfsrv_descript *nd, struct nfsclient *clp)
 {
 
+	/* For NFSv4.1/4.2, SP4_NONE always allows this. */
+	if ((nd->nd_flag & ND_NFSV41) != 0)
+		return (0);
+
 	if (nd->nd_flag & ND_GSS) {
 		if (!(clp->lc_flags & LCL_GSS))
 			return (1);

sys/fs/nfsserver/nfs_nfsdsubs.c

@@ -2121,6 +2121,14 @@ nfsd_checkrootexp(struct nfsrv_descript *nd)
 
 	if (nfs_rootfhset == 0)
 		return (NFSERR_AUTHERR | AUTH_FAILED);
+	/*
+	 * For NFSv4.1/4.2, if the client specifies SP4_NONE, then these
+	 * operations are allowed regardless of the value of the "sec=XXX"
+	 * field in the V4: exports line.
+	 * As such, these Kerberos checks only apply to NFSv4.0 mounts.
+	 */
+	if ((nd->nd_flag & ND_NFSV41) != 0)
+		goto checktls;
 	if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS)
 		goto checktls;
 	if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) ==