A NFS server exports :

/export/home    computers
/export/cont1   computers

On the filesystem, there are these permissions :

$ ls -al /export/cont1
drwxr-x--- 6 root     group1  4096 2010-05-04 10:57 .
drwxrwxrwx 5 root     root    4096 2010-05-07 14:52 ..
drwxrwxrwx 2 root     root    4096 2010-05-06 20:33 .snapshot
drwxr-xr-x 2 user1    group1  4096 2010-05-04 10:57 user1
drwxr-xr-x 2 user2    group1  4096 2010-05-04 10:57 user2
drwxr-xr-x 2 user3    group1  4096 2010-05-04 10:57 user3

So that user4, which is in not in the group1 can't access this directory and its subdirectories.

Now, on its client machine, this user can do :

$ sudo mount server:/export/cont1/user3 /mnt/temp

and then access the directory without permissions on /export/cont1 :

$ id
uid=7943(user4) gid=7943(user4) groupes=1189(group4)
$ ls -al /mnt/temp/
drwxr-xr-x 3 user3    group1  4096 2010-05-04 10:57 .
drwxr-xr-x 7 root     root    4096 2010-05-04 11:02 ..
-rw-r--r-- 1 user3    group1     6 2010-05-04 10:56 README

Is there a way to apply /export/cont1 permissions even if it is not mounted ? The goal is to enable users to mount /home/user3 and only access it if they can access /export/cont1 on the nfs server.

Said in another way : how can I allow a machine to mount /export/cont1/user3 and still don't allow user4 to access it.

Maybe NFSv4 and Kerberos can help ?