From owner-freebsd-current@FreeBSD.ORG Sun Jan 9 01:18:46 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FAC61065670; Sun, 9 Jan 2011 01:18:46 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id DA03D8FC1D; Sun, 9 Jan 2011 01:18:45 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApwEAEucKE2DaFvO/2dsb2JhbACDd6E/riWMTIEhgW4FB4E9dASEZ4YjhSo X-IronPort-AV: E=Sophos;i="4.60,295,1291611600"; d="scan'208";a="106390393" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 08 Jan 2011 20:18:45 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 12C2AB3F5D; Sat, 8 Jan 2011 20:18:45 -0500 (EST) Date: Sat, 8 Jan 2011 20:18:45 -0500 (EST) From: Rick Macklem To: Marek Salwerowicz Message-ID: <313821249.9847.1294535925017.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - IE8 (Win)/6.0.10_GA_2692) Cc: rmacklem@FreeBSD.org, freebsd-current@freebsd.org Subject: Re: NFSv4 and pam_mount - mounting user home directories. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2011 01:18:46 -0000 > Hi, > > 1. I have a NFSv4-enabled server with /etc/exports like: > V4: / -sec=sys > /home/stud -sec=sys > > /etc/rc.conf: > > nfs_server_enable=YES > nfsv4_server_enable=YES > nfsuserd_enable=YES > > Is it possible to run ONLY NFSv4 server (without NFSv3 compatibility) > ? You can limit the versions of NFS supported by the server via: vfs.newnfs.server_max_nfsvers vfs.newnfs.server_min_nfsvers If both of these are set to "4", only NFSv4 will be handled. (However, note that it is not possible to run the regular and experimental NFS server on the same machine concurrently, so this would mean that the box would only serve NFSv4.) > > 2. On a client station I installed pam_mount module in order to mount > home directory from server automatically during logging in to > station. > I would like to mount it via NFSv4. > > In pam_mount.conf.xml I inserted: > path="/home/stud/%(USER)" mountpoint="/home/stud/%(USER)" /> > path="/home/prac/%(USER)" mountpoint="/home/prac/%(USER)" /> > mount_nfs -o nfsv4 %(SERVER):%(VOLUME) %(MNTPT) > > And it works, but: > > On a client station every user can be root, and I don't want even root > to be able to mount user's home directories without giving a > password (via mount_nfs command)- is it possible? Not that I know. If the users are "root" they can do a mount. It is possible to allow non-root users to do mounts, but not restrict mounting by "root". Note: - "root" is not mapped to "root" on the server for your configuration so, although they can "mount", they can't access the server volume beyond what "nobody"/world is allowed to do. The concept of "mount" doesn't really exist in an NFS server. The client mount_nfs simply finds a handle for the directory at the end of the mount path. The server only sees RPCs doing operations from that directory down and has no idea that the client "has mounted it there". > > After mounting there is a strange UID and GID: > > ls -la > total 472 > drwxr-xr-x 10 32767 32767 1024 8 sty 23:00 ./ > drwxr-xr-x 9 root wheel 512 1 wrz 2009 ../ > -rw------- 1 32767 32767 0 12 cze 2010 .Xauthority > drwxr-xr-x 3 32767 32767 512 12 cze 2010 .cache/ > -rw------- 1 32767 32767 68693 8 sty 21:11 .hist > -rw------- 1 32767 32767 0 11 cze 2010 .history > > the UID should be 700. > This will be the user name mapping business. For NFSv4, both the client and the server must know the username for UID == 700 and they must be configured with the same user name space domain. (I suspect the latter is correct or "root", "wheel" would not have worked.) For NFSv4, it is names and not numbers that go on the wire for file ownership. (Try reading "man nfsv4" and "man nfsuserd".) rick