From owner-freebsd-stable@freebsd.org Wed Jul 25 21:42:58 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1DDB01054EAA for ; Wed, 25 Jul 2018 21:42:58 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670048.outbound.protection.outlook.com [40.107.67.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT TLS CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9C5158F85A; Wed, 25 Jul 2018 21:42:57 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from YTOPR0101MB0953.CANPRD01.PROD.OUTLOOK.COM (52.132.44.24) by YTOPR0101MB2155.CANPRD01.PROD.OUTLOOK.COM (52.132.46.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Wed, 25 Jul 2018 21:42:56 +0000 Received: from YTOPR0101MB0953.CANPRD01.PROD.OUTLOOK.COM ([fe80::7098:a543:5be8:f30e]) by YTOPR0101MB0953.CANPRD01.PROD.OUTLOOK.COM ([fe80::7098:a543:5be8:f30e%5]) with mapi id 15.20.0952.025; Wed, 25 Jul 2018 21:42:56 +0000 From: Rick Macklem To: John Newman , "freebsd-stable@freebsd.org" CC: "rmacklem@FreeBSD.org" Subject: Re: FreeBSD 11.2-RELEASE - mountd problem - mountd[1056]: unknown user: root Thread-Topic: FreeBSD 11.2-RELEASE - mountd problem - mountd[1056]: unknown user: root Thread-Index: AQHUJB0jBqsAhAYay02XuVUOh4qUsaSgdScK Date: Wed, 25 Jul 2018 21:42:55 +0000 Message-ID: References: <20180725134042.63iwuoxbdapuqmce@synfin.org> In-Reply-To: <20180725134042.63iwuoxbdapuqmce@synfin.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; YTOPR0101MB2155; 6:M3AxxuWndPWApa78BxKwF7OPPs657Co/8qEJ/dABo3DutS8mx1SLy9RbII3Tm/SEYUuzHmydTk92M9fhj2byTQX8IkovVvdEZoZR+eTJbK0mChZhT9amXZmAQ49g8Fynygt7F4+kJmvVZJsrO8wUj55v52cFvFbiYXtDSL12oldOHQDl0OOc0MZk6/ceWi6AoOuG5zahiTV2p2vyAQ44fOq37OcEjTu+LZv9tbMYCOkbkNdheM86L3qoFgA82CxiTPWVWbPFUXrJco4O7ARAPuCKeutb5pHKIkrYAp3AIV2fzL/QbWy3TO+jcFmPTczmSm3rRB1frRDuSPgu9icvBd7t6h2Fk5eDgMBanxNabmdxxrwgFo8RVNXUU9OCFqSJTx8rXtzZCkje2hast5pbugmnEVSK9+O6lDyp9RNA5Dq0ag3sm8p2WUm1wpvMG1rM9XtYc8927WKpVDfXBA6RMg==; 5:D0Kud5AB8kvQjdBgUl+8K1pax7LBC/tenSoSOXRKxNNnd1wMo6ME1lg40avAVmrxwTuRpyI4EftqS99csCKhsahAAEXLfqfuykOWRdjivhmsDfAZf0hSwp/4upnuFgCpdCVH5v6xCpnVBcZDFRWOrmL8cyus0aOpPnr+U+u1MTU=; 7:/EEH8Ex93KPXlyXoiFcUjLQbxHfLGeSIEHzRyA/A+5jTywGcXPg3iHWQCx/ifVYp9e8MW7xfyykvqS5gpss8d5OMIyq0cz8Y2ezklaI8Q94bXm6JgUQhbtxc5+E6doc3UZ1NZx0ZtqGyna3wJ7vB/wOq6iarrdxeGJbrs5dlRXNcE0l01QoM/slAIlMGjHuaSSecO4wfC09dqYikRENCetASkt+/ftx1mVoC2hKRx80Q9jhbho8D2J6yyMJ956lP x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: c5121dca-b661-4d8a-6083-08d5f2779527 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600073)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:YTOPR0101MB2155; x-ms-traffictypediagnostic: YTOPR0101MB2155: authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(788757137089); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:YTOPR0101MB2155; BCL:0; PCL:0; RULEID:; SRVR:YTOPR0101MB2155; x-forefront-prvs: 0744CFB5E8 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(136003)(39860400002)(396003)(78114003)(199004)(189003)(53936002)(4326008)(102836004)(76176011)(2900100001)(110136005)(786003)(5660300001)(316002)(486006)(8936002)(446003)(11346002)(6506007)(186003)(476003)(305945005)(229853002)(25786009)(26005)(551544002)(81166006)(74482002)(9686003)(81156014)(105586002)(106356001)(68736007)(14444005)(2906002)(478600001)(74316002)(6436002)(5250100002)(97736004)(99286004)(6246003)(14454004)(55016002)(2501003)(256004)(8676002)(7696005)(33656002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:YTOPR0101MB2155; H:YTOPR0101MB0953.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-microsoft-antispam-message-info: LEQLCUTijP/ditFLhFBRK1eh2YWmHyWQmXzhseh9d1uMtBOgZnfLgEGH5mgvB4nHeV/5/oLA8+0Pg7CjwtlhrfIXUlhN3geuTXxyA9QV/SCmV0HTnGyxG0O9/62fFLHeG9XyTRwnGKGqM9fM9sAKButZJgAlopxU9eL0xI6ObrnGE3mQRH5Fb3IUXJ84u0kWMvnYMpXc0Lf/s+cTliK4DeI0LdPHK6inZwKJYlTO/auXPYf/vihFAgAOymXtmLLZsBIYzc92Z1oFPBa9zQcYHT4IJLtc4mZsIzSklpFmjCOcdyP3OVBAn5XvwCdkAj7DCcpoJHruPrjIPPbyurmUpFwt9xw1uPBT0cU5w6m4hGs= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: c5121dca-b661-4d8a-6083-08d5f2779527 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2018 21:42:55.9968 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTOPR0101MB2155 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2018 21:42:58 -0000 John Newman wrote: >I'm having a problem with one of my FreeBSD NFS servers. It's an >11.2-RELEASE box (upgraded fairly recently from 10.1), and actually >we had the same issue even when it was on 10.x. > >Basically, what is happening is several of my NFS exports that are >configured with "-maproot=3Droot" (and they are actually ZFS NFS >exports, in /etc/zfs/exports, configured with the 'zfs set >sharenfs=3D"..."' command - if that matters, which I don't think it >does) are generating the following error messages when the machine >first boots up - > >Jul X 15:19:58 nfs5 mountd[1094]: unknown user: root >Jul X 15:19:58 nfs5 mountd[1094]: message repeated 14 times: [ unknown >user: root] This means that getpwnam() for "root" is failing. When an error is logged a= s above, the export line has failed and the export hasn't happened. (Apparently, this gets "fixed" after you have booted, since it can getpwnam= () for "root" when you send mountd a SIGHUP.) A couple of possible ways to fix this... - Have a local password file on the server with "root" in it and edit your /etc/nsswitch.conf so it looks there first. "passwd: file ..." or someth= ing like that. - Replace "root" with 0,0 on the exports line(s). I haven't done this recen= tly, so I don't remember the exact syntax.;-) >To fix the issue, I simply HUP the mountd process. Until I HUP the >mountd process, none of the clients that depend on being able to >write to their NFS shares as root work properly - they are read-only. >As soon as I HUP mountd, the issue goes away, no more "unknown user: >root" errors, and the mounts become writable for their clients. > >I think this is tied into the fact this box uses sssd for LDAP >authentication, because I don't see this issue on another 11.2 >machine configured very similarly that isn't using sssd. The LDAP >authentication works fine, the relevant lines in /etc/nsswitch.conf >look like - > >$ grep sss /etc/nsswitch.conf >group: sss files >passwd: sss files I'd suggest you change these to... group: files sss passwd: files sss and just have the minimum in /etc/passwd and /etc/group to make booting hap= py. >It feels like this may be some sort of ordering issue with the start >up scripts - mountd running before sssd is running? But why doesn't >it fall back to "files" and find root that way? We do *not* have a >root user in our ldap directory anyway. Someone on IRC has suggested >that I should swap the "sss files" to "files sss", but I'm not sure >if this would help or not... For now, I simply added the following >work-around to my /etc/rc.local: > > kill -s HUP `cat /var/run/mountd.pid` That works too. I don't know anything about the libc stuff behind getpwnam(= ), so I don't know why it fails at boot, but works later. (I always put the criti= cal stuff in local files on servers and specify "files" first.) Maybe someone else can explain why the ldap case would fail? rick