diff -puN support/export/client.c~pseudoflavor-clients support/export/client.c
--- nfs-utils-1.0.5/support/export/client.c~pseudoflavor-clients	2003-08-06 17:17:20.000000000 -0400
+++ nfs-utils-1.0.5-bfields/support/export/client.c	2003-08-06 17:17:20.000000000 -0400
@@ -392,6 +392,8 @@ client_check(nfs_client *clp, struct hos
 #endif
 	case MCL_ANONYMOUS:
 		return 1;
+	case MCL_GSS:
+		return 0;
 	default:
 		xlog(L_FATAL, "internal: bad client type %d", clp->m_type);
 	}
@@ -425,6 +427,8 @@ client_gettype(char *ident)
 
 	if (ident[0] == '\0' || strcmp(ident, "*")==0)
 		return MCL_ANONYMOUS;
+	if (strncmp(ident, "gss/", 4) == 0)
+		return MCL_GSS;
 	if (ident[0] == '@') {
 #ifndef HAVE_INNETGR
 		xlog(L_WARNING, "netgroup support not compiled in");
diff -puN support/export/nfsctl.c~pseudoflavor-clients support/export/nfsctl.c
--- nfs-utils-1.0.5/support/export/nfsctl.c~pseudoflavor-clients	2003-08-06 17:17:20.000000000 -0400
+++ nfs-utils-1.0.5-bfields/support/export/nfsctl.c	2003-08-06 17:17:20.000000000 -0400
@@ -27,7 +27,7 @@ export_export(nfs_export *exp)
 	struct nfsctl_export	exparg;
 	struct nfsctl_client	cltarg;
 
-	if (!clp->m_exported) {
+	if (!clp->m_exported && (clp->m_type != MCL_GSS)) {
 		if (!cltsetup(&cltarg, clp))
 			return 0;
 		if (nfsaddclient(&cltarg) < 0)
diff -puN support/include/exportfs.h~pseudoflavor-clients support/include/exportfs.h
--- nfs-utils-1.0.5/support/include/exportfs.h~pseudoflavor-clients	2003-08-06 17:17:20.000000000 -0400
+++ nfs-utils-1.0.5-bfields/support/include/exportfs.h	2003-08-06 17:17:20.000000000 -0400
@@ -19,6 +19,7 @@ enum {
 	MCL_WILDCARD,
 	MCL_NETGROUP,
 	MCL_ANONYMOUS,
+	MCL_GSS,
 	MCL_MAXTYPES
 };
 
diff -puN utils/exportfs/exportfs.c~pseudoflavor-clients utils/exportfs/exportfs.c
--- nfs-utils-1.0.5/utils/exportfs/exportfs.c~pseudoflavor-clients	2003-08-06 17:17:20.000000000 -0400
+++ nfs-utils-1.0.5-bfields/utils/exportfs/exportfs.c	2003-08-06 17:21:57.000000000 -0400
@@ -145,10 +145,43 @@ main(int argc, char **argv)
 	return export_errno;
 }
 
+static void
+exports_update_one(nfs_export *exp, int verbose)
+{
+		/* check mountpoint option */
+	if (exp->m_mayexport && 
+	    exp->m_export.e_mountpoint &&
+	    !is_mountpoint(exp->m_export.e_mountpoint[0]?
+			   exp->m_export.e_mountpoint:
+			   exp->m_export.e_path)) {
+		printf("%s not exported as %s not a mountpoint.\n",
+		       exp->m_export.e_path, exp->m_export.e_mountpoint);
+		exp->m_mayexport = 0;
+	}
+	if (exp->m_mayexport && ((exp->m_exported<1) || exp->m_changed)) {
+		if (verbose)
+			printf("%sexporting %s:%s to kernel\n",
+			       exp->m_exported ?"re":"",
+			       exp->m_client->m_hostname,
+			       exp->m_export.e_path);
+		if (!export_export(exp))
+			error(exp, errno);
+	}
+	if (exp->m_exported && ! exp->m_mayexport) {
+		if (verbose)
+			printf("unexporting %s:%s from kernel\n",
+			       exp->m_client->m_hostname,
+			       exp->m_export.e_path);
+		if (!export_unexport(exp))
+			error(exp, errno);
+	}
+}
+
+
 /* we synchronise intention with reality.
  * entries with m_mayexport get exported
  * entries with m_exported but not m_mayexport get unexported
- * looking at m_client->m_type == MCL_FQDN only
+ * looking at m_client->m_type == MCL_FQDN and m_client->m_type == MCL_GSS only
  */
 static void
 exports_update(int verbose)
@@ -156,33 +189,10 @@ exports_update(int verbose)
 	nfs_export 	*exp;
 
 	for (exp = exportlist[MCL_FQDN]; exp; exp=exp->m_next) {
-		/* check mountpoint option */
-		if (exp->m_mayexport && 
-		    exp->m_export.e_mountpoint &&
-		    !is_mountpoint(exp->m_export.e_mountpoint[0]?
-				   exp->m_export.e_mountpoint:
-				   exp->m_export.e_path)) {
-			printf("%s not exported as %s not a mountpoint.\n",
-			       exp->m_export.e_path, exp->m_export.e_mountpoint);
-			exp->m_mayexport = 0;
-		}
-		if (exp->m_mayexport && ((exp->m_exported<1) || exp->m_changed)) {
-			if (verbose)
-				printf("%sexporting %s:%s to kernel\n",
-				       exp->m_exported ?"re":"",
-				       exp->m_client->m_hostname,
-				       exp->m_export.e_path);
-			if (!export_export(exp))
-				error(exp, errno);
-		}
-		if (exp->m_exported && ! exp->m_mayexport) {
-			if (verbose)
-				printf("unexporting %s:%s from kernel\n",
-				       exp->m_client->m_hostname,
-				       exp->m_export.e_path);
-			if (!export_unexport(exp))
-				error(exp, errno);
-		}
+		exports_update_one(exp, verbose);
+	}
+	for (exp = exportlist[MCL_GSS]; exp; exp=exp->m_next) {
+		exports_update_one(exp, verbose);
 	}
 }
 			
diff -puN utils/exportfs/exports.man~pseudoflavor-clients utils/exportfs/exports.man
--- nfs-utils-1.0.5/utils/exportfs/exports.man~pseudoflavor-clients	2003-08-06 17:17:20.000000000 -0400
+++ nfs-utils-1.0.5-bfields/utils/exportfs/exports.man	2003-08-06 17:17:20.000000000 -0400
@@ -79,6 +79,11 @@ may work by accident when reverse DNS lo
 '''.B \-\-public\-root
 '''option. Multiple specifications of a public root will be ignored.
 .PP
+.SS RPCSEC_GSS security
+To restrict access to an export using rpcsec_gss security, use the special
+string "gss/krb5" as the client.  It is not possible to simultaneously require
+rpcsec_gss and to make requirements on the IP address of the client.
+.PP
 .SS General Options
 .IR exportfs
 understands the following export options:

_