From owner-freebsd-net@freebsd.org Fri Aug 16 16:40:30 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 780E0A80EA for ; Fri, 16 Aug 2019 16:40:30 +0000 (UTC) (envelope-from lan@zato.ru) Received: from mail.zato.ru (mail.zato.ru [178.255.248.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.zato.ru", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4698FT2Mzdz4Rg6 for ; Fri, 16 Aug 2019 16:40:28 +0000 (UTC) (envelope-from lan@zato.ru) Received: from ip198-125-245-80.broadband.crelcom.ru ([80.245.125.198] helo=[172.27.1.29]) by mail.zato.ru with esmtpsa (TLSv1.2:AES128-SHA:128) (Exim 4.84 (FreeBSD)) (envelope-from ) id 1hyfH3-000GxY-0n for freebsd-net@freebsd.org; Fri, 16 Aug 2019 19:40:26 +0300 To: freebsd-net@freebsd.org References: <522283ee-dc4b-6439-fb05-7254511a214b@zato.ru> <20190816104222.GN47119@zxy.spb.ru> <20190816120157.GO47119@zxy.spb.ru> <19b8ad6d-ad07-e50e-75d1-ae554c87c384@zato.ru> <20190816121547.GP47119@zxy.spb.ru> From: Alexander Lunev Message-ID: <704c15b4-aaf0-bb0e-20d7-777ae6043843@zato.ru> Date: Fri, 16 Aug 2019 19:40:22 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: ru Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 80.245.125.198 X-SA-Exim-Mail-From: lan@zato.ru X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.zato.local X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: NFSv4 without Kerberos X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail.zato.ru) X-Rspamd-Queue-Id: 4698FT2Mzdz4Rg6 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.59 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[zato.ru:s=mailserverdkimkey]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:178.255.248.12:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[zato.ru:+]; DMARC_POLICY_ALLOW(-0.50)[zato.ru,reject]; NEURAL_HAM_SHORT(-0.59)[-0.587,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(0.00)[country: RU(0.01)]; ASN(0.00)[asn:56868, ipnet:178.255.248.0/24, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2019 16:40:30 -0000 > 1 - setting the sysctls > vfs.nfsd.enable_stringtouid=1 > vfs.nfs.enable_uidtostring=1 > Allows the uid/gid to be put in the Owner/Owner_group string as a number > (ie "1001"). This avoids any need to run the nfsuserd if all mounts are sec=sys. > This is now the default for most Linux distros. > > Even if you want to run the nfsuserd, it won't be working until the system is > booted. (If you don't do the above, all the files needed to get booted must be > world read/exec.) Thanks for this! In fact I was moving towards root-on-NFSv4, and your message is really helpful. It is a pity that there is so little documentation and even less debugging means for NFSv4 - you can't put daemon in debug mode, for example, or get some extra debugging messages from mount_nfs, like with ssh/sshd for example. > 2 - A Kerberized root mount won't work, because the gssd must be running for > Kerberos access to work and that can't happen until booted. And thanks for this! I think you saved me a lot of time figuring how and why! -- Best regards Alexander Lunev