Date: Thu, 02 Jun 2022 15:13:42 -0400 From: Adonis Peralta <donileo@gmail.com> To: freebsd-net@freebsd.org Subject: NFSv4 on MacOS Monterey Message-ID: <5B070ACE-9ECD-4FAA-A975-C77BE87CEFAA@gmail.com>
next in thread | raw e-mail | index | archive | help
I have some NFSv4 (sec=3Dsys) shares on FreeBSD 13.1 which I'm trying to =
connect correctly with MacOS 12.4 Monterey.
I got the basics down but don't think I have permissions and extended att=
ributes working correctly.
My configuration is as follows:
SERVER CONFIGURATION
OS: FreeBSD 13.1
=3D=3D=3D
/etc/rc.conf
# NFS Configuration
nfs_server_enable=3D"YES"
nfs_server_flags=3D"-u -t -n 4"
mountd_enable=3D"YES"
### mountd_flags=3D"-R"
### rpcbind_enable=3D"YES"
### rpc_lockd_enable=3D"YES"
### rpc_statd_enable=3D"YES"
# Enable NFSv4
nfsv4_server_enable=3D"YES"
nfsv4_server_only=3D"YES"
nfsuserd_enable=3D"YES"
nfsuserd_flags=3D"-domain rambo.lan"
=3D=3D=3D
=3D=3D=3D
/etc/exports
# Exports Configuration
/drivepool/backups -alldirs -mapall=3Dadonis:wheel
/drivepool/media -alldirs -mapall=3Dadonis:wheel
/drivepool/home/adonis -alldirs -mapall=3Dadonis:wheel
/drivepool/public -mapall=3Dadonis:wheel
V4: /drivepool adonis-mbp adonis-pc
=3D=3D=3D
=3D=3D=3D
/etc/sysctl.conf
# Asks nfsd to convert remote uids/gid encoded as numeric strings to be m=
apped to an actual uid/gid
vfs.nfsd.enable_stringtouid=3D1
# Applies to both nfs server and client. Asks client/server to send numer=
ic strings for uid/gid.
### vfs.nfs.enable_uidtostring=3D0
vfs.nfsd.debuglevel=3D3
=3D=3D=3D
The directories above are hosted on ZFS and nfs4 acls support is turned o=
n.
CLIENT CONFIGURATION
OS: MacOS 12.4 Monterey
=3D=3D=3D
nfs.client.mount.options=3Dvers=3D4.0,intr,namedattr
nfs.client.default_nfs4domain =3D rambo.lan
=3D=3D=3D
Note: above I'm using namedattr to try to get the client to connect with =
named attributes support.
RESULTS
What I see when I connect via finder is the following:
1. I am able to read/write to the shares since /etc/exports contains the =
-mapall line, yet inspecting a packet trace shows me:
=3D=3D=3D
packet #1
---
client ip -> server ip Operations (count: 3): PUTFH, ACCESS, GETATTR
Opcode: PUTFH (22)
Opcode: ACCESS (3), [Check: RD LU MD XT DL XE]
Opcode: GETATTR (9)
packet #2
---
server ip -> client ip Operations (count: 3)
Opcode: PUTFH (22)
Opcode: ACCESS (3), [NOT Supported: XE], [Access Denied: MD XT DL], [Allo=
wed: RD LU]
Status: NFS4_OK (0)
Supported types (of requested): 0x1f
Access rights (of requested): 0x03
.... ...1 =3D 0x001 READ: allowed
.... ..1. =3D 0x002 LOOKUP: allowed
.... .0.. =3D 0x004 MODIFY: *Access Denied*
.... 0... =3D 0x008 EXTEND: *Access Denied*
...0 .... =3D 0x010 DELETE: *Access Denied*
Opcode: GETATTR (9)
=3D=3D=3D
Why is MD, XT, DL coming up as Access Denied if I can read/write to the s=
hare?
I have a feeling this is because UID/GID mapping is not happening correct=
ly. I can see in the packet trace that FreeBSD's `nfsd` is sending some c=
redentials as `adonis@rambo.lan`, but MacOS's nfs client is sending uid 5=
01 and gid 20 for my user in the RPC credentials. I don't see how `nfsd` =
will be able to map uid 501, gid 20 to the server's uid and gid and inste=
ad I was expecting `adonis@rambo.lan` to be sent for credentials from the=
client side.
The link below tells me that this is an inherent issue with NFSv4?
https://dfusion.com.au/wiki/tiki-index.php?page=3DWhy+NFSv4+UID+mapping+b=
reaks+with+AUTH_UNIX
2. Extended attributes don't work at all. Here is the result:
=3D=3D=3D
$ cd /Volumes/media
$ touch test.txt
$ xattr -w com.example.color blue test.txt
# Result: xattr: [Errno 1] Operation not permitted: 'test.txt' #
=3D=3D=3D
-- =
Adonis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5B070ACE-9ECD-4FAA-A975-C77BE87CEFAA>