Date: Tue, 26 Mar 2024 17:33:55 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Andreas Kempe <kempe@lysator.liu.se> Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: <CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK%2BHH9QcMrw@mail.gmail.com> In-Reply-To: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se> References: <ZgNiZsYl6D-GnRwI@shipon.lysator.liu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 26, 2024 at 5:04=E2=80=AFPM Andreas Kempe <kempe@lysator.liu.se= > wrote: > > Hello everyone, > > I have a bit of a head scratcher and need some help. I've configured a > Linux NFS server running on Rocky Linux 8, kernel version 6.8, to act > as a kerberised NFSv4 server. > > The server has the following export line > > /tank/beta-testing *.lysator.liu.se(rw,sync,no_wdelay,sec=3Dkrb5:= krb5p,no_root_squash) > > and I can mount the export fine using both krb5 and krb5p. idmap is > running on the Linux server/clients while nfsuserd is running on the > FreeBSD client. I'm using host credentials for the mounts and not user > credentials. > > I can mount the share on my Linux clients and everything works as > expected. > > On my FreeBSD clients, I have the issue that all users on the client > seem to get mapped to nobody when accessing files. Doing a directory > listing shows correct owners > > kempe@claptrap /mnt> ls -l /mp/diskus/ > total 92 > drwxr-xr-x 2 aoh aoh 2 feb. 18 22:35 aoh/ > drwxr-xr-x 195 hx hx 516 juli 1 2018 hx/ > drwx------ 3 kempe kempe 3 mars 27 00:45 kempe/ > drwxr-xr-x 104 octol lysator 213 maj 6 2022 octol/ > > and I can see that nfsuserd has loaded the info into the kernel > > 15 Mar 26 23:35:40 claptrap nfsuserd:[3097]: Added uid=3D31490 name=3Dk= empe > 16 Mar 26 23:35:40 claptrap nfsuserd:[3096]: Added uid=3D31490 name=3Dk= empe > > but if I try to enter the kempe directory, I get a permission denied > > kempe@claptrap /mnt> cd /mp/diskus/kempe > cd: Permission denied: '/mp/diskus/kempe' > > changing permissions on the kempe directory to 777, I can enter it and > create a file > > kempe@claptrap /mnt> cd /mp/diskus/kempe > kempe@claptrap /m/d/kempe> touch testfile > kempe@claptrap /m/d/kempe> ls -l > total 10 > drwxr-xr-x 5 kempe kempe 88 feb. 19 13:33 bonnie++-2.00a/ > -rw-r--r-- 1 nobody nobody 0 mars 27 00:54 testfile > > but the file is owned by nobody instead of my user kempe. > > User credentials are stored in LDAP and resolved through nslcd. > > I have tried searching, but this is a difficult one to search for as > most hits relate to everything being owned by nobody on account of > idmapd/nfsuserd not running. > > Has anyone seen anything like this or do you have any good suggestions > on where to start looking? Take a look at a packet capture in wireshark. Check that the @domain part of Owner and Owner_group attributes are the same and it is not a string of digits. If the domain is not the same, you can use the -domain command line option on nfsuserd to set it. (Since this "domain" is underdefined, I'd suggest only ascii characters and all alphabetics in lower case.) If the client sends a string of digits, check to make sure the sysctl vfs.nfs.enable_uidtostring is set to 0. rick > > Best regards, > Andreas Kempe >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy53suTizsOmsKvN9Zrd6LciAFrS3PEctUJjK%2BHH9QcMrw>