Date: Tue, 26 Mar 2024 17:54:38 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Andreas Kempe <kempe@lysator.liu.se> Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com> In-Reply-To: <CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK%2BHH9QcMrw@mail.gmail.com> References: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se> <CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK%2BHH9QcMrw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 26, 2024 at 5:33=E2=80=AFPM Rick Macklem <rick.macklem@gmail.co= m> wrote: > > On Tue, Mar 26, 2024 at 5:04=E2=80=AFPM Andreas Kempe <kempe@lysator.liu.= se> wrote: > > > > Hello everyone, > > > > I have a bit of a head scratcher and need some help. I've configured a > > Linux NFS server running on Rocky Linux 8, kernel version 6.8, to act > > as a kerberised NFSv4 server. > > > > The server has the following export line > > > > /tank/beta-testing *.lysator.liu.se(rw,sync,no_wdelay,sec=3Dkrb= 5:krb5p,no_root_squash) > > > > and I can mount the export fine using both krb5 and krb5p. idmap is > > running on the Linux server/clients while nfsuserd is running on the > > FreeBSD client. I'm using host credentials for the mounts and not user > > credentials. > > > > I can mount the share on my Linux clients and everything works as > > expected. > > > > On my FreeBSD clients, I have the issue that all users on the client > > seem to get mapped to nobody when accessing files. Doing a directory > > listing shows correct owners > > > > kempe@claptrap /mnt> ls -l /mp/diskus/ > > total 92 > > drwxr-xr-x 2 aoh aoh 2 feb. 18 22:35 aoh/ > > drwxr-xr-x 195 hx hx 516 juli 1 2018 hx/ > > drwx------ 3 kempe kempe 3 mars 27 00:45 kempe/ > > drwxr-xr-x 104 octol lysator 213 maj 6 2022 octol/ > > > > and I can see that nfsuserd has loaded the info into the kernel > > > > 15 Mar 26 23:35:40 claptrap nfsuserd:[3097]: Added uid=3D31490 name= =3Dkempe > > 16 Mar 26 23:35:40 claptrap nfsuserd:[3096]: Added uid=3D31490 name= =3Dkempe > > > > but if I try to enter the kempe directory, I get a permission denied > > > > kempe@claptrap /mnt> cd /mp/diskus/kempe > > cd: Permission denied: '/mp/diskus/kempe' > > > > changing permissions on the kempe directory to 777, I can enter it and > > create a file > > > > kempe@claptrap /mnt> cd /mp/diskus/kempe > > kempe@claptrap /m/d/kempe> touch testfile > > kempe@claptrap /m/d/kempe> ls -l > > total 10 > > drwxr-xr-x 5 kempe kempe 88 feb. 19 13:33 bonnie++-2.00a/ > > -rw-r--r-- 1 nobody nobody 0 mars 27 00:54 testfile > > > > but the file is owned by nobody instead of my user kempe. > > > > User credentials are stored in LDAP and resolved through nslcd. > > > > I have tried searching, but this is a difficult one to search for as > > most hits relate to everything being owned by nobody on account of > > idmapd/nfsuserd not running. > > > > Has anyone seen anything like this or do you have any good suggestions > > on where to start looking? > Take a look at a packet capture in wireshark. > Check that the @domain part of Owner and Owner_group attributes are > the same and it is not a string of digits. Oh, and just fyi, you can use tcpdump to capture the packets, something lik= e: # tcpdump -s 0 -w out.pcap host <nfs-server> and then you can look at out.pcap whereever it is convenient to install wireshark. (I run it on this windows laptop.) Don't bother to try and look at NFS with tcpdump. It doesn't know how to decode it. rick > If the domain is not the same, you can use the -domain command line optio= n > on nfsuserd to set it. > (Since this "domain" is underdefined, I'd suggest only ascii characters a= nd > all alphabetics in lower case.) > If the client sends a string of digits, check to make sure the sysctl > vfs.nfs.enable_uidtostring is set to 0. > > rick > > > > > > Best regards, > > Andreas Kempe > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ>