From nobody Wed Mar 27 00:54:38 2024 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V47Vl5pw6z5G7LP for ; Wed, 27 Mar 2024 00:54:55 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V47Vk6Zpsz4Vg1 for ; Wed, 27 Mar 2024 00:54:54 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=mkAqN1EN; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2607:f8b0:4864:20::102d as permitted sender) smtp.mailfrom=rick.macklem@gmail.com Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-29a8911d11cso3437594a91.1 for ; Tue, 26 Mar 2024 17:54:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711500892; x=1712105692; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=E8/d65netpQtbwIvLQydaMvubDch2q/FzQd9/eckuIM=; b=mkAqN1ENyAtgbI7LEw/nSWYhaP2WZxeIPS7uh20U7B4a3xvwEOcpsg8mOngC+SXmZi KijwnM1jRoKl6b2e8zas4Pn4XAXeDW/usm78qIIey2Bldf3F0IfB9euBYMCJy/t2YUl4 eMN3UcpUrc+dP4L6/HZJTCC9Gkz81gN2mQM7tq2KjaUXtxpIhPDxaRcXvWcQ/MA0gGWc VwqJlXat7/rZKquf+VXuGt+YYZ2UrMNj1vOEcmSj8uBqJIEsJpLDzRwY6/ckxF1rHzMD lXZJYwE+sJKqAIwJ96Dr/4c3oeX9lanyZN6iqnURvAoni1JS/z7TtEOAODbr0McnoPrX rpEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711500892; x=1712105692; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E8/d65netpQtbwIvLQydaMvubDch2q/FzQd9/eckuIM=; b=iReA1BxRM/Wr/cImKgDcE5kKrKtIpl8n3Pc002jDhtVkAWOaBfvOV/tVwSMTGcRUha /y5JxQaY9gQZOgoV4gRjOWW3IMV701RKzHKu996LxMxr59dRu6GSiGQW6rEigrHiohEr mSsG+dOIkFSTYoc62s0IaH558XqltOaWkb6JQZRnWxy3EjcoNhDULMDon7uJtYUYqVYR itzgKWh+Ar58pxxZ5E9Tlca8YJoQXfwRDDyeuSgOt896zq0qfrbpHuVlNcyeUP3bbIAn KYBlERTzAb5VT+gw510BYoO2MfYFZzGPFN58Ei1ci2g9Ci6SLJG/E9rlMfOtxCGBZnKi V87g== X-Gm-Message-State: AOJu0YxznT8/tOynU/SGReefr4sA1PczzwOnPYgbf7H+Yp8/9B8jgRMg FmGSxYCo3gJ92nDvNUE+4hmXBLlNBZ3QGiJtfxZh7WmYcBoTsAxqx3NyZPFOlXj+ArMR1njiQ/A jzsq61fGXCnn27jKgrUTJdOUe9Q== X-Google-Smtp-Source: AGHT+IGqjIKUlnTeYs1aZUXuJiy5dIIlfG7vpnp+ARpR9B1mTZEmgFrQFnupI0vzbijngRJ88WanRIDUnqFtrfYitmc= X-Received: by 2002:a17:90b:3b87:b0:29c:289b:1eb3 with SMTP id pc7-20020a17090b3b8700b0029c289b1eb3mr4290824pjb.6.1711500892406; Tue, 26 Mar 2024 17:54:52 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Tue, 26 Mar 2024 17:54:38 -0700 Message-ID: Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access To: Andreas Kempe Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.94 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.94)[-0.940]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TAGGED_FROM(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MLMMJ_DEST(0.00)[freebsd-fs@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::102d:from] X-Rspamd-Queue-Id: 4V47Vk6Zpsz4Vg1 On Tue, Mar 26, 2024 at 5:33=E2=80=AFPM Rick Macklem wrote: > > On Tue, Mar 26, 2024 at 5:04=E2=80=AFPM Andreas Kempe wrote: > > > > Hello everyone, > > > > I have a bit of a head scratcher and need some help. I've configured a > > Linux NFS server running on Rocky Linux 8, kernel version 6.8, to act > > as a kerberised NFSv4 server. > > > > The server has the following export line > > > > /tank/beta-testing *.lysator.liu.se(rw,sync,no_wdelay,sec=3Dkrb= 5:krb5p,no_root_squash) > > > > and I can mount the export fine using both krb5 and krb5p. idmap is > > running on the Linux server/clients while nfsuserd is running on the > > FreeBSD client. I'm using host credentials for the mounts and not user > > credentials. > > > > I can mount the share on my Linux clients and everything works as > > expected. > > > > On my FreeBSD clients, I have the issue that all users on the client > > seem to get mapped to nobody when accessing files. Doing a directory > > listing shows correct owners > > > > kempe@claptrap /mnt> ls -l /mp/diskus/ > > total 92 > > drwxr-xr-x 2 aoh aoh 2 feb. 18 22:35 aoh/ > > drwxr-xr-x 195 hx hx 516 juli 1 2018 hx/ > > drwx------ 3 kempe kempe 3 mars 27 00:45 kempe/ > > drwxr-xr-x 104 octol lysator 213 maj 6 2022 octol/ > > > > and I can see that nfsuserd has loaded the info into the kernel > > > > 15 Mar 26 23:35:40 claptrap nfsuserd:[3097]: Added uid=3D31490 name= =3Dkempe > > 16 Mar 26 23:35:40 claptrap nfsuserd:[3096]: Added uid=3D31490 name= =3Dkempe > > > > but if I try to enter the kempe directory, I get a permission denied > > > > kempe@claptrap /mnt> cd /mp/diskus/kempe > > cd: Permission denied: '/mp/diskus/kempe' > > > > changing permissions on the kempe directory to 777, I can enter it and > > create a file > > > > kempe@claptrap /mnt> cd /mp/diskus/kempe > > kempe@claptrap /m/d/kempe> touch testfile > > kempe@claptrap /m/d/kempe> ls -l > > total 10 > > drwxr-xr-x 5 kempe kempe 88 feb. 19 13:33 bonnie++-2.00a/ > > -rw-r--r-- 1 nobody nobody 0 mars 27 00:54 testfile > > > > but the file is owned by nobody instead of my user kempe. > > > > User credentials are stored in LDAP and resolved through nslcd. > > > > I have tried searching, but this is a difficult one to search for as > > most hits relate to everything being owned by nobody on account of > > idmapd/nfsuserd not running. > > > > Has anyone seen anything like this or do you have any good suggestions > > on where to start looking? > Take a look at a packet capture in wireshark. > Check that the @domain part of Owner and Owner_group attributes are > the same and it is not a string of digits. Oh, and just fyi, you can use tcpdump to capture the packets, something lik= e: # tcpdump -s 0 -w out.pcap host and then you can look at out.pcap whereever it is convenient to install wireshark. (I run it on this windows laptop.) Don't bother to try and look at NFS with tcpdump. It doesn't know how to decode it. rick > If the domain is not the same, you can use the -domain command line optio= n > on nfsuserd to set it. > (Since this "domain" is underdefined, I'd suggest only ascii characters a= nd > all alphabetics in lower case.) > If the client sends a string of digits, check to make sure the sysctl > vfs.nfs.enable_uidtostring is set to 0. > > rick > > > > > > Best regards, > > Andreas Kempe > >