From owner-freebsd-fs@FreeBSD.ORG Tue Oct 14 08:51:07 2014 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1AB1368 for ; Tue, 14 Oct 2014 08:51:07 +0000 (UTC) Received: from smtp.unix-experience.fr (62-210-206-43.rev.poneytelecom.eu [62.210.206.43]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 514D7C44 for ; Tue, 14 Oct 2014 08:51:05 +0000 (UTC) Received: from smtp.unix-experience.fr (unknown [192.168.200.21]) by smtp.unix-experience.fr (Postfix) with ESMTP id E6594114CB; Tue, 14 Oct 2014 08:50:56 +0000 (UTC) X-Virus-Scanned: scanned by unix-experience.fr Received: from smtp.unix-experience.fr ([192.168.200.21]) by smtp.unix-experience.fr (smtp.unix-experience.fr [192.168.200.21]) (amavisd-new, port 10024) with ESMTP id 8d1ZqN_Ky9rh; Tue, 14 Oct 2014 08:50:54 +0000 (UTC) Received: from mail.unix-experience.fr (unknown [192.168.200.1]) by smtp.unix-experience.fr (Postfix) with ESMTPSA id 18DC5114BF; Tue, 14 Oct 2014 08:50:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=unix-experience.fr; s=uxselect; t=1413276654; bh=+pBeH0TWA5uHK2AJKRQDi14+ZMnpiwoYx4gmvmCzrow=; h=Date:From:Subject:To:Cc:In-Reply-To:References; b=IgtNT9Z/wKJ5MFnQsDYqFVZ77HVSyISCYoVTftUPPrLUe4bbivtIF33MeuiuFBhdw 3i906izvUJmGQerMGFK/W6+ZQM6wji3gdL+Tjxq8s+UtoXiym8CjSjhf/lNTws73Rj 3sQCdbf42jkVYVEo0VWSIXlh5qXp4mJy2iLpzVr4= Mime-Version: 1.0 Date: Tue, 14 Oct 2014 08:50:53 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: Quoted-Printable Message-ID: <726222de616461ce67f35e77dfaac5fe@mail.unix-experience.fr> X-Mailer: RainLoop/1.6.9.161 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" Subject: Re: NFSv4 nobody issue To: "Rick Macklem" In-Reply-To: <1003039765.63581639.1413228280410.JavaMail.root@uoguelph.ca> References: <1003039765.63581639.1413228280410.JavaMail.root@uoguelph.ca> Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 08:51:07 -0000 Hi Rick,=0Athanks for your tip. It works perfect.=0AI think creating a sy= sctl variable must be fine to handle this precise case, no ?=0A=0AI'll lo= ok at a patch today.=0A=0ARegards,=0A=0ALo=C3=AFc Blot,=0AUNIX Systems, N= etwork and Security Engineer=0Ahttp://www.unix-experience.fr=0A=0A13 octo= bre 2014 21:24 "Rick Macklem" a =C3=A9crit: =0A> L= oic Blot wrote:=0A> =0A>> Hi Rick,=0A>> no request is done.=0A>> In /var/= log/messages on the client i have:=0A>> =0A>> Oct 13 15:10:46 machine ker= nel: No name and/or group mapping for=0A>> uid,gid:(65534,-1)=0A>> =0A>> = The FreeBSD kernel refuses to change the owner.=0A> =0A> Ok, I took a loo= k and it is a restriction enforced by the server.=0A> If you want it to w= ork, you need to comment out these lines in=0A> sys/fs/nfsserver/nfs_nfsd= subs.c:=0A> if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_defau= ltuid)=0A> 1547 || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_de= faultgid)) {=0A> 1548 error =3D NFSERR_BADOWNER;=0A> 1549 goto out;=0A> 1= 550 }=0A> (Line#s 1546->1550 in head.)=0A> =0A> It is done because some c= lients try to set the owner when there is no=0A> valid mapping by sending= "nobody@" to the server.=0A> Unfortunately for you "nob= ody" is the traditional name for "no mapping".=0A> For example, if "chown= rick " was done on a client where "rick"=0A> is not in the client'= s passwd database, some clients will send "nobody@"=0A> = and the above code makes sure that doesn't work.=0A> =0A> So, if you want= this to work, comment out the above lines in your NFSv4 server's=0A> ker= nel.=0A> =0A> rick=0A> =0A>> Regards,=0A>> =0A>> Lo=C3=AFc Blot,=0A>> UNI= X Systems, Network and Security Engineer=0A>> http://www.unix-experience.= fr=0A>> =0A>> 13 octobre 2014 14:43 "Rick Macklem" = a =C3=A9crit:=0A>>> Loic Blot wrote:=0A>>> =0A>>>> Hi,=0A>>>> i tryed so= me other things=0A>>>> =0A>>>> User nobody (65534)=0A>>>> -> chown nobody= /usr/jail/test.file =3D> problem=0A>>>> =0A>>>> Group nogroup (65533)=0A= >>>> -> chown :nogroup /usr/jail/test.file =3D> same problem=0A>>>> =0A>>= >> Group nobody (65534)=0A>>>> -> chown :nobody /usr/jail/test.file =3D> = no problem=0A>>>> =0A>>>> Change user nobody UID from 65534 to 65533 =3D>= same problem. It's=0A>>>> not=0A>>>> a UID number problem but a name pro= blem.=0A>>> =0A>>> Yes, for NFSv4 it is the names that go in the RPC requ= est and not=0A>>> the=0A>>> numbers. However, since there are the numbers= in the AUTH_SYS=0A>>> credential=0A>>> in the header (unless you are usi= ng Kerberized mounts), the numbers=0A>>> for=0A>>> the names need to be c= onsistent between client and server.=0A>>> =0A>>>> Then, user nobody and = group nogroup (not the integer values) are=0A>>>> problematic. I looked a= t nfsuserd.c and i see:=0A>>>> u_char *defaultuser =3D "nobody";=0A>>>> u= _char *defaultgroup =3D "nogroup";=0A>>> =0A>>> These are used if no mapp= ing is found in the user or group database=0A>>> for whatever name is in = the RPC on the wire.=0A>>> =0A>>> If you want to see what is happening, I= suggest that you capture=0A>>> packets when you do the "chown" (You can = use "tcpdump -s 0 -w=0A>>> file.pcap host XXX".)=0A>>> then look at them = in wireshark.=0A>>> In wireshark, look for the Setattr RPC and then look = in the setable=0A>>> attributes.=0A>>> You should find Owner which looks = like "nobody@=0A>>> and=0A>>> Owner_group which looks th= e same (or "nogroup@" if=0A>>> you=0A>>> used nogroup). = "nogroup" must be in your group database (/etc/group=0A>>> or whatever=0A= >>> you use for a group database) and the number must be consistent=0A>>>= across client=0A>>> and server.=0A>>> Also, see what the reply to the Se= tattr RPC is (it is actually a=0A>>> Compound RPC=0A>>> labelled "Setattr= " for NFSv4).=0A>>> =0A>>> If there is no Setattr RPC, then the mapping i= s failing in the=0A>>> client.=0A>>> =0A>>> If the stuff looks correct on= the wire, then it is most likely a=0A>>> server side=0A>>> issue.=0A>>> = =0A>>> rick=0A>>> =0A>>>> I think it's related.=0A>>>> =0A>>>> Regards,= =0A>>>> =0A>>>> Lo=C3=AFc Blot,=0A>>>> UNIX Systems, Network and Security= Engineer=0A>>>> http://www.unix-experience.fr=0A>>>> =0A>>>> 13 octobre = 2014 09:15 "Lo=C3=AFc Blot" a=0A>>>> =C3= =A9crit:=0A>>>>> Hi,=0A>>>>> of course i have it. On each node:=0A>>>>> = =0A>>>>> # cat /etc/master.passwd | grep nobody=0A>>>>> returns:=0A>>>>> = nobody:*:65534:65534::0:0:Unprivileged=0A>>>>> user:/nonexistent:/usr/sbi= n/nologin=0A>>>>> =0A>>>>> It's why i do a report here :)=0A>>>>> =0A>>>>= > Regards,=0A>>>>> =0A>>>>> Lo=C3=AFc Blot,=0A>>>>> UNIX Systems, Network= and Security Engineer=0A>>>>> http://www.unix-experience.fr=0A>>>>> =0A>= >>>> 10 octobre 2014 13:51 "Rick Macklem" a=0A>>>>= > =C3=A9crit:=0A>>>>> =0A>>>>>> Loic Blot wrote:=0A>>>>>> =0A>>>>>>> Hell= o @freebsd-fs,=0A>>>>>>> i'm trying to do jail hosting over NFSv4 with ez= jail and i'm=0A>>>>>>> experimenting an issue that i can't resolve. When = i extract=0A>>>>>>> base.txz (with ezjail) or i set nobody user on a file= , i have=0A>>>>>>> this=0A>>>>>>> error:=0A>>>>>>> =0A>>>>>>> chown nobod= y:nobody /usr/jails/fulljail/mnt/=0A>>>>>>> No name and/or group mapping = for uid,gid:(65534,65534)=0A>>>>>>> chown: /usr/jails/fulljail/mnt/: Oper= ation not permitted=0A>>>>>>> =0A>>>>>>> No problem if i set:=0A>>>>>>> c= hown mysql:nobody /usr/jails/fulljail/mnt/=0A>>>>>>> =0A>>>>>>> Problem a= ppears on all files.=0A>>>>>> =0A>>>>>> Do you have a user by the name of= "nobody" in your password=0A>>>>>> database?=0A>>>>>> (NFSv4 uses names = and not numbers on the wire, so no name-->no=0A>>>>>> mapping=0A>>>>>> an= d chown can't be done.)=0A>>>>>> =0A>>>>>> rick=0A>>>>>> =0A>>>>>>> On my= ZFS+NFSv4 server i do a dataset, exported in NFS=0A>>>>>>> =0A>>>>>>> /e= tc/exports:=0A>>>>>>> V4: /=0A>>>>>>> =0A>>>>>>> zfs get sharenfs pool/ja= ils:=0A>>>>>>> -network=3D10.99.99.0 -mask=3D255.255.255.0 -maproot=3Droo= t=0A>>>>>>> =0A>>>>>>> nfsuserd and nfsv4_server_enable=3DYES on both cli= ent and server,=0A>>>>>>> plus=0A>>>>>>> nfsbcd on client.=0A>>>>>>> =0A>= >>>>>> On the client here is the fstab entry=0A>>>>>>> 10.99.99.99:/pool/= jails /usr/jails nfs rw,nfsv4 0 0=0A>>>>>>> =0A>>>>>>> What i'm doing wro= ng ?=0A>>>>>>> =0A>>>>>>> Thanks in advance=0A>>>>>>> Regards,=0A>>>>>>> = =0A>>>>>>> Lo=C3=AFc Blot,=0A>>>>>>> UNIX Systems, Network and Security E= ngineer=0A>>>>>>> http://www.unix-experience.fr=0A>>>>>>> =0A>>>> =0A>> _= ______________________________=0A>> =0A>>>> =0A>>>>>>> =0A>>>>>>> freebsd= -fs@freebsd.org mailing list=0A>>>>>>> http://lists.freebsd.org/mailman/l= istinfo/freebsd-fs=0A>>>>>>> To unsubscribe, send any mail to=0A>>>>>>> "= freebsd-fs-unsubscribe@freebsd.org"=0A>>>>> =0A>>>>> =0A>>>> =0A>> ______= _________________________=0A>> =0A>>>> =0A>>>>> =0A>>>>> freebsd-fs@freeb= sd.org mailing list=0A>>>>> http://lists.freebsd.org/mailman/listinfo/fre= ebsd-fs=0A>>>>> To unsubscribe, send any mail to=0A>>>>> "freebsd-fs-unsu= bscribe@freebsd.org"