Date: Wed, 27 Mar 2024 15:22:05 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Andreas Kempe <kempe@lysator.liu.se> Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <CAM5tNy7qd9gUhjW%2B0Xjz%2BZHVNKXHznFK48K2jRiCDWD1UBcwZA@mail.gmail.com> In-Reply-To: <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se> References: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se> <CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK%2BHH9QcMrw@mail.gmail.com> <CAM5tNy7YM6bRKTX3pLR8hC-a-cmxXA=wv4j0E8cBWGthbxzLdQ@mail.gmail.com> <ZgRUqkl1zVxMPt6K@shipon.lysator.liu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 27, 2024 at 10:17=E2=80=AFAM Andreas Kempe <kempe@lysator.liu.s= e> wrote: > > On Tue, Mar 26, 2024 at 05:54:38PM -0700, Rick Macklem wrote: > > On Tue, Mar 26, 2024 at 5:33=E2=80=AFPM Rick Macklem <rick.macklem@gmai= l.com> wrote: > > > > > > Take a look at a packet capture in wireshark. > > > Check that the @domain part of Owner and Owner_group attributes are > > > the same and it is not a string of digits. > > Oh, and just fyi, you can use tcpdump to capture the packets, something= like: > > # tcpdump -s 0 -w out.pcap host <nfs-server> > > and then you can look at out.pcap whereever it is convenient to > > install wireshark. > > (I run it on this windows laptop.) > > Don't bother to try and look at NFS with tcpdump. It doesn't know how > > to decode it. > > > > > If the domain is not the same, you can use the -domain command line o= ption > > > on nfsuserd to set it. > > > (Since this "domain" is underdefined, I'd suggest only ascii characte= rs and > > > all alphabetics in lower case.) > > > If the client sends a string of digits, check to make sure the sysctl > > > vfs.nfs.enable_uidtostring is set to 0. > > > > > I'm using lysator.liu.se as the domain on both client and server. It > seems to work since listing files give correct owners. > > I have dumped the traffic from mounting and creating a file named > test file that shows up as owned by nobody. I get the following call > made > > NFS 438 V4 Call (Reply In 131) Open OPEN DH: 0x30a4c0aa/t= estfil > > In the OPEN (18) opcode, owner is set to > > 0000 af 16 00 00 93 fc 00 00 07 76 0d 00 > > while the server sets owner to ex. kempe@lysator.liu.se as expected > when directory listings are made. Make sure you aren't using krb5p when doing the capture. Either krb5 or krb5i should be ok. rick > > vfs.nfs.enable_uidtostring is 0 on the client machine and I am not > quite able to make sense of what the 12 bytes in the owner field are > supposed to be. They are not the ASCII representation and nither my > user's GID and UID that are both 0x7b02. > > // Andreas Kempe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy7qd9gUhjW%2B0Xjz%2BZHVNKXHznFK48K2jRiCDWD1UBcwZA>