From nobody Wed Mar 27 22:22:05 2024 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4h4F4CRZz5FbGL for ; Wed, 27 Mar 2024 22:22:21 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4h4F23F6z4vkY for ; Wed, 27 Mar 2024 22:22:21 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-29f749b6667so289001a91.0 for ; Wed, 27 Mar 2024 15:22:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711578140; x=1712182940; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=nNfCwQLUkVbDtyHT5DHA71Qci775d5VTw6lVnUszBAU=; b=QAEDcpji+AkNW8eewEHG0lZh5XkByrzR8WamkGT5oaELZeAhPulwevt5LtYi/AAcdB X+sPO51EKe4znIw3Reov213bHd2XRSZlaf8B+sokU/OBw98kEgUpJRx3Ljw6+ehJmTKW HVakOivAEVAuIZpbNNv2HEwgIn0QND7ThBdA7LacouSbYtW/XrvkcmB0wgl20T689Ag2 v+pi7dJfk2zPFLP0X3mgCS8v9cFWY32dPCpNyNnt7Y8jx1V0AJAFVVb/BrmQpiF2IOyn SVoegAe3YQV+n8bOED4V1qNa+h0bd8DW/2dADp0u/P9BeqK2nH4pZK1M9HIBfACmaUbo Iiow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711578140; x=1712182940; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nNfCwQLUkVbDtyHT5DHA71Qci775d5VTw6lVnUszBAU=; b=f/dC59m/lwJa/wDLZCxXudhW+PNENPewbQlrAmA9dRtQWnFRclyF8O8OiHTzPFUr7d OmG49veuh8n80G1Z+tTXYCVh+SPeKBiW6hmdtJlK7Dvf3mp3jXmRQ1E8oGvPee1voWmA 7mNaEoqYOuThtkkB1KVXsyc8l0WZ1G2NvJm6qJpoF81/+1DZr+GITAFMxR1QYm47mDQ5 kj33GO8+mOIP7CFJ3UAai9cDYbEIgW1O05B449W5fwTQfI577oykMjzQmzjdj3qh8/ck QNqMy5pBrPRXapAdaDumn2vkiD5HFONV3cvq8dKJjpygNyaWAdnJzWMxcQ+kfcanHG/q I7Lw== X-Gm-Message-State: AOJu0YyKZjzu7y+6mruhMB3OiG6LoFK6N1kCiuqvoAZZQHVUtGE14PfU tKut7Z7AsQ7oJn46F4/wHw6/65Yyh6KIM8/c+mCDJHnhLjXiBqN0rZqpwD8b7CL+v2PZ0QqKSmU swEkfQGQEMETTzs9h6SPgeqJgIA== X-Google-Smtp-Source: AGHT+IGjhKkwoyW3dtrc2FEkebb9lXI9BFsJPDjdaQL3ODZPuiJAq7nTDNjYB6DKeQAwOOQnUZZxT8pH/qtF6LFAQXs= X-Received: by 2002:a17:90a:d914:b0:2a0:2a93:d91a with SMTP id c20-20020a17090ad91400b002a02a93d91amr1252533pjv.23.1711578139988; Wed, 27 Mar 2024 15:22:19 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Wed, 27 Mar 2024 15:22:05 -0700 Message-ID: Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access To: Andreas Kempe Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4V4h4F23F6z4vkY On Wed, Mar 27, 2024 at 10:17=E2=80=AFAM Andreas Kempe wrote: > > On Tue, Mar 26, 2024 at 05:54:38PM -0700, Rick Macklem wrote: > > On Tue, Mar 26, 2024 at 5:33=E2=80=AFPM Rick Macklem wrote: > > > > > > Take a look at a packet capture in wireshark. > > > Check that the @domain part of Owner and Owner_group attributes are > > > the same and it is not a string of digits. > > Oh, and just fyi, you can use tcpdump to capture the packets, something= like: > > # tcpdump -s 0 -w out.pcap host > > and then you can look at out.pcap whereever it is convenient to > > install wireshark. > > (I run it on this windows laptop.) > > Don't bother to try and look at NFS with tcpdump. It doesn't know how > > to decode it. > > > > > If the domain is not the same, you can use the -domain command line o= ption > > > on nfsuserd to set it. > > > (Since this "domain" is underdefined, I'd suggest only ascii characte= rs and > > > all alphabetics in lower case.) > > > If the client sends a string of digits, check to make sure the sysctl > > > vfs.nfs.enable_uidtostring is set to 0. > > > > > I'm using lysator.liu.se as the domain on both client and server. It > seems to work since listing files give correct owners. > > I have dumped the traffic from mounting and creating a file named > test file that shows up as owned by nobody. I get the following call > made > > NFS 438 V4 Call (Reply In 131) Open OPEN DH: 0x30a4c0aa/t= estfil > > In the OPEN (18) opcode, owner is set to > > 0000 af 16 00 00 93 fc 00 00 07 76 0d 00 > > while the server sets owner to ex. kempe@lysator.liu.se as expected > when directory listings are made. Make sure you aren't using krb5p when doing the capture. Either krb5 or krb5i should be ok. rick > > vfs.nfs.enable_uidtostring is 0 on the client machine and I am not > quite able to make sense of what the 12 bytes in the owner field are > supposed to be. They are not the ASCII representation and nither my > user's GID and UID that are both 0x7b02. > > // Andreas Kempe