Date: Tue, 14 Oct 2014 08:50:53 +0000 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" <loic.blot@unix-experience.fr> To: "Rick Macklem" <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 nobody issue Message-ID: <726222de616461ce67f35e77dfaac5fe@mail.unix-experience.fr> In-Reply-To: <1003039765.63581639.1413228280410.JavaMail.root@uoguelph.ca> References: <1003039765.63581639.1413228280410.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Rick,=0Athanks for your tip. It works perfect.=0AI think creating a sy= sctl variable must be fine to handle this precise case, no ?=0A=0AI'll lo= ok at a patch today.=0A=0ARegards,=0A=0ALo=C3=AFc Blot,=0AUNIX Systems, N= etwork and Security Engineer=0Ahttp://www.unix-experience.fr=0A=0A13 octo= bre 2014 21:24 "Rick Macklem" <rmacklem@uoguelph.ca> a =C3=A9crit: =0A> L= oic Blot wrote:=0A> =0A>> Hi Rick,=0A>> no request is done.=0A>> In /var/= log/messages on the client i have:=0A>> =0A>> Oct 13 15:10:46 machine ker= nel: No name and/or group mapping for=0A>> uid,gid:(65534,-1)=0A>> =0A>> = The FreeBSD kernel refuses to change the owner.=0A> =0A> Ok, I took a loo= k and it is a restriction enforced by the server.=0A> If you want it to w= ork, you need to comment out these lines in=0A> sys/fs/nfsserver/nfs_nfsd= subs.c:=0A> if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_defau= ltuid)=0A> 1547 || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_de= faultgid)) {=0A> 1548 error =3D NFSERR_BADOWNER;=0A> 1549 goto out;=0A> 1= 550 }=0A> (Line#s 1546->1550 in head.)=0A> =0A> It is done because some c= lients try to set the owner when there is no=0A> valid mapping by sending= "nobody@<your.dns.domain>" to the server.=0A> Unfortunately for you "nob= ody" is the traditional name for "no mapping".=0A> For example, if "chown= rick <file>" was done on a client where "rick"=0A> is not in the client'= s passwd database, some clients will send "nobody@<your.dns.domain>"=0A> = and the above code makes sure that doesn't work.=0A> =0A> So, if you want= this to work, comment out the above lines in your NFSv4 server's=0A> ker= nel.=0A> =0A> rick=0A> =0A>> Regards,=0A>> =0A>> Lo=C3=AFc Blot,=0A>> UNI= X Systems, Network and Security Engineer=0A>> http://www.unix-experience.= fr=0A>> =0A>> 13 octobre 2014 14:43 "Rick Macklem" <rmacklem@uoguelph.ca>= a =C3=A9crit:=0A>>> Loic Blot wrote:=0A>>> =0A>>>> Hi,=0A>>>> i tryed so= me other things=0A>>>> =0A>>>> User nobody (65534)=0A>>>> -> chown nobody= /usr/jail/test.file =3D> problem=0A>>>> =0A>>>> Group nogroup (65533)=0A= >>>> -> chown :nogroup /usr/jail/test.file =3D> same problem=0A>>>> =0A>>= >> Group nobody (65534)=0A>>>> -> chown :nobody /usr/jail/test.file =3D> = no problem=0A>>>> =0A>>>> Change user nobody UID from 65534 to 65533 =3D>= same problem. It's=0A>>>> not=0A>>>> a UID number problem but a name pro= blem.=0A>>> =0A>>> Yes, for NFSv4 it is the names that go in the RPC requ= est and not=0A>>> the=0A>>> numbers. However, since there are the numbers= in the AUTH_SYS=0A>>> credential=0A>>> in the header (unless you are usi= ng Kerberized mounts), the numbers=0A>>> for=0A>>> the names need to be c= onsistent between client and server.=0A>>> =0A>>>> Then, user nobody and = group nogroup (not the integer values) are=0A>>>> problematic. I looked a= t nfsuserd.c and i see:=0A>>>> u_char *defaultuser =3D "nobody";=0A>>>> u= _char *defaultgroup =3D "nogroup";=0A>>> =0A>>> These are used if no mapp= ing is found in the user or group database=0A>>> for whatever name is in = the RPC on the wire.=0A>>> =0A>>> If you want to see what is happening, I= suggest that you capture=0A>>> packets when you do the "chown" (You can = use "tcpdump -s 0 -w=0A>>> file.pcap host XXX".)=0A>>> then look at them = in wireshark.=0A>>> In wireshark, look for the Setattr RPC and then look = in the setable=0A>>> attributes.=0A>>> You should find Owner which looks = like "nobody@<your.dns.domain>=0A>>> and=0A>>> Owner_group which looks th= e same (or "nogroup@<your.dns.domain>" if=0A>>> you=0A>>> used nogroup). = "nogroup" must be in your group database (/etc/group=0A>>> or whatever=0A= >>> you use for a group database) and the number must be consistent=0A>>>= across client=0A>>> and server.=0A>>> Also, see what the reply to the Se= tattr RPC is (it is actually a=0A>>> Compound RPC=0A>>> labelled "Setattr= " for NFSv4).=0A>>> =0A>>> If there is no Setattr RPC, then the mapping i= s failing in the=0A>>> client.=0A>>> =0A>>> If the stuff looks correct on= the wire, then it is most likely a=0A>>> server side=0A>>> issue.=0A>>> = =0A>>> rick=0A>>> =0A>>>> I think it's related.=0A>>>> =0A>>>> Regards,= =0A>>>> =0A>>>> Lo=C3=AFc Blot,=0A>>>> UNIX Systems, Network and Security= Engineer=0A>>>> http://www.unix-experience.fr=0A>>>>; =0A>>>> 13 octobre = 2014 09:15 "Lo=C3=AFc Blot" <loic.blot@unix-experience.fr> a=0A>>>> =C3= =A9crit:=0A>>>>> Hi,=0A>>>>> of course i have it. On each node:=0A>>>>> = =0A>>>>> # cat /etc/master.passwd | grep nobody=0A>>>>> returns:=0A>>>>> = nobody:*:65534:65534::0:0:Unprivileged=0A>>>>> user:/nonexistent:/usr/sbi= n/nologin=0A>>>>> =0A>>>>> It's why i do a report here :)=0A>>>>> =0A>>>>= > Regards,=0A>>>>> =0A>>>>> Lo=C3=AFc Blot,=0A>>>>> UNIX Systems, Network= and Security Engineer=0A>>>>> http://www.unix-experience.fr=0A>>>>>; =0A>= >>>> 10 octobre 2014 13:51 "Rick Macklem" <rmacklem@uoguelph.ca> a=0A>>>>= > =C3=A9crit:=0A>>>>> =0A>>>>>> Loic Blot wrote:=0A>>>>>> =0A>>>>>>> Hell= o @freebsd-fs,=0A>>>>>>> i'm trying to do jail hosting over NFSv4 with ez= jail and i'm=0A>>>>>>> experimenting an issue that i can't resolve. When = i extract=0A>>>>>>> base.txz (with ezjail) or i set nobody user on a file= , i have=0A>>>>>>> this=0A>>>>>>> error:=0A>>>>>>> =0A>>>>>>> chown nobod= y:nobody /usr/jails/fulljail/mnt/=0A>>>>>>> No name and/or group mapping = for uid,gid:(65534,65534)=0A>>>>>>> chown: /usr/jails/fulljail/mnt/: Oper= ation not permitted=0A>>>>>>> =0A>>>>>>> No problem if i set:=0A>>>>>>> c= hown mysql:nobody /usr/jails/fulljail/mnt/=0A>>>>>>> =0A>>>>>>> Problem a= ppears on all files.=0A>>>>>> =0A>>>>>> Do you have a user by the name of= "nobody" in your password=0A>>>>>> database?=0A>>>>>> (NFSv4 uses names = and not numbers on the wire, so no name-->no=0A>>>>>> mapping=0A>>>>>> an= d chown can't be done.)=0A>>>>>> =0A>>>>>> rick=0A>>>>>> =0A>>>>>>> On my= ZFS+NFSv4 server i do a dataset, exported in NFS=0A>>>>>>> =0A>>>>>>> /e= tc/exports:=0A>>>>>>> V4: /=0A>>>>>>> =0A>>>>>>> zfs get sharenfs pool/ja= ils:=0A>>>>>>> -network=3D10.99.99.0 -mask=3D255.255.255.0 -maproot=3Droo= t=0A>>>>>>> =0A>>>>>>> nfsuserd and nfsv4_server_enable=3DYES on both cli= ent and server,=0A>>>>>>> plus=0A>>>>>>> nfsbcd on client.=0A>>>>>>> =0A>= >>>>>> On the client here is the fstab entry=0A>>>>>>> 10.99.99.99:/pool/= jails /usr/jails nfs rw,nfsv4 0 0=0A>>>>>>> =0A>>>>>>> What i'm doing wro= ng ?=0A>>>>>>> =0A>>>>>>> Thanks in advance=0A>>>>>>> Regards,=0A>>>>>>> = =0A>>>>>>> Lo=C3=AFc Blot,=0A>>>>>>> UNIX Systems, Network and Security E= ngineer=0A>>>>>>> http://www.unix-experience.fr=0A>>>>>>>; =0A>>>> =0A>> _= ______________________________=0A>> =0A>>>> =0A>>>>>>> =0A>>>>>>> freebsd= -fs@freebsd.org mailing list=0A>>>>>>> http://lists.freebsd.org/mailman/l= istinfo/freebsd-fs=0A>>>>>>> To unsubscribe, send any mail to=0A>>>>>>> "= freebsd-fs-unsubscribe@freebsd.org"=0A>>>>> =0A>>>>> =0A>>>> =0A>> ______= _________________________=0A>> =0A>>>> =0A>>>>> =0A>>>>> freebsd-fs@freeb= sd.org mailing list=0A>>>>> http://lists.freebsd.org/mailman/listinfo/fre= ebsd-fs=0A>>>>> To unsubscribe, send any mail to=0A>>>>> "freebsd-fs-unsu= bscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?726222de616461ce67f35e77dfaac5fe>