Date: Wed, 27 Mar 2024 01:03:50 +0100 From: Andreas Kempe <kempe@lysator.liu.se> To: freebsd-fs@freebsd.org Subject: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se>
next in thread | raw e-mail | index | archive | help
Hello everyone, I have a bit of a head scratcher and need some help. I've configured a Linux NFS server running on Rocky Linux 8, kernel version 6.8, to act as a kerberised NFSv4 server. The server has the following export line /tank/beta-testing *.lysator.liu.se(rw,sync,no_wdelay,sec=krb5:krb5p,no_root_squash) and I can mount the export fine using both krb5 and krb5p. idmap is running on the Linux server/clients while nfsuserd is running on the FreeBSD client. I'm using host credentials for the mounts and not user credentials. I can mount the share on my Linux clients and everything works as expected. On my FreeBSD clients, I have the issue that all users on the client seem to get mapped to nobody when accessing files. Doing a directory listing shows correct owners kempe@claptrap /mnt> ls -l /mp/diskus/ total 92 drwxr-xr-x 2 aoh aoh 2 feb. 18 22:35 aoh/ drwxr-xr-x 195 hx hx 516 juli 1 2018 hx/ drwx------ 3 kempe kempe 3 mars 27 00:45 kempe/ drwxr-xr-x 104 octol lysator 213 maj 6 2022 octol/ and I can see that nfsuserd has loaded the info into the kernel 15 Mar 26 23:35:40 claptrap nfsuserd:[3097]: Added uid=31490 name=kempe 16 Mar 26 23:35:40 claptrap nfsuserd:[3096]: Added uid=31490 name=kempe but if I try to enter the kempe directory, I get a permission denied kempe@claptrap /mnt> cd /mp/diskus/kempe cd: Permission denied: '/mp/diskus/kempe' changing permissions on the kempe directory to 777, I can enter it and create a file kempe@claptrap /mnt> cd /mp/diskus/kempe kempe@claptrap /m/d/kempe> touch testfile kempe@claptrap /m/d/kempe> ls -l total 10 drwxr-xr-x 5 kempe kempe 88 feb. 19 13:33 bonnie++-2.00a/ -rw-r--r-- 1 nobody nobody 0 mars 27 00:54 testfile but the file is owned by nobody instead of my user kempe. User credentials are stored in LDAP and resolved through nslcd. I have tried searching, but this is a difficult one to search for as most hits relate to everything being owned by nobody on account of idmapd/nfsuserd not running. Has anyone seen anything like this or do you have any good suggestions on where to start looking? Best regards, Andreas Kempe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZgNiZsYl6D-GnRwI>