Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Jun 2021 19:58:16 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 256658] ugidfw starts before late mount of nfs causing permissions errors on /var/run/nslcd
Message-ID:  <bug-256658-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256658

            Bug ID: 256658
           Summary: ugidfw starts before late mount of nfs causing
                    permissions errors on /var/run/nslcd
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: dvl@FreeBSD.org

This has affect hosts installed with FreeBSD 13 and upgraded from 12 to 13.

A summary of the discovery process appears first, followed by the complicat=
ing
factors which colluded to create the problem.

Initial symptom was inability of non-root to use / access Kerberos. With a
valid ticket on your laptop, you could ssh to a host where klist should sho=
w no
valid ticket (we ssh'd in via ssh-keys).

$ id dvl
id: dvl: no such user

$ truss id dvl
....
connect(3,{ AF_UNIX "/var/run/nslcd/nslcd.ctl" },26) ERR#13 'Permission den=
ied'
....

Permissions on that directory and its contents matched that on 12.x hosts w=
hich
did not have this issue.

An IRC guru suggested:

$ sysctl security.mac | grep enabled
security.mac.bsdextended.firstmatch_enabled: 1
security.mac.bsdextended.enabled: 1

Looking at bsdextended_script within /etc/rc.conf led to rules which impose
restrictions upon /usr/home

Let's try: service ugidfw restart

id dvl - now works.

summary of complicating factors:

* /usr/home is mounted by NFS with:=20

foo.example.com:/home    /usr/home       nfs=20=20=20=20
hard,late,intr,wsize=3D65536,rsize=3D65536,port=3D2049,rw 0 0

* bsdextended_script points to rules which impose restrictions upon /usr/hom

* FreeBSD 12 does not show this issue

* FreeBSD 13 has this issue

* new 13 installs and upgrades from 12 have the same problem

* restating ugidfw after boot solves the issue

* removing hard,late from NFS did not solve the issue

* adding mountlate to the REQUIRES in /etc/rc.d/ugidfw solves the issue

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256658-227>