Date: Mon, 13 Oct 2014 13:14:41 +0000 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" <loic.blot@unix-experience.fr> To: "Rick Macklem" <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 nobody issue Message-ID: <d6f2ac9a0bdb26429e624f6c1926c5d9@mail.unix-experience.fr> In-Reply-To: <1626547992.63435100.1413204182279.JavaMail.root@uoguelph.ca> References: <1626547992.63435100.1413204182279.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Rick,=0Ano request is done.=0AIn /var/log/messages on the client i hav= e:=0A=0AOct 13 15:10:46 machine kernel: No name and/or group mapping for = uid,gid:(65534,-1)=0A=0AThe FreeBSD kernel refuses to change the owner.= =0A=0ARegards,=0A=0ALo=C3=AFc Blot,=0AUNIX Systems, Network and Security = Engineer=0Ahttp://www.unix-experience.fr=0A=0A13 octobre 2014 14:43 "Rick= Macklem" <rmacklem@uoguelph.ca> a =C3=A9crit: =0A> Loic Blot wrote:=0A> = =0A>> Hi,=0A>> i tryed some other things=0A>> =0A>> User nobody (65534)= =0A>> -> chown nobody /usr/jail/test.file =3D> problem=0A>> =0A>> Group n= ogroup (65533)=0A>> -> chown :nogroup /usr/jail/test.file =3D> same probl= em=0A>> =0A>> Group nobody (65534)=0A>> -> chown :nobody /usr/jail/test.f= ile =3D> no problem=0A>> =0A>> Change user nobody UID from 65534 to 65533= =3D> same problem. It's not=0A>> a UID number problem but a name problem= .=0A> =0A> Yes, for NFSv4 it is the names that go in the RPC request and = not the=0A> numbers. However, since there are the numbers in the AUTH_SYS= credential=0A> in the header (unless you are using Kerberized mounts), t= he numbers for=0A> the names need to be consistent between client and ser= ver.=0A> =0A>> Then, user nobody and group nogroup (not the integer value= s) are=0A>> problematic. I looked at nfsuserd.c and i see:=0A>> u_char *d= efaultuser =3D "nobody";=0A>> u_char *defaultgroup =3D "nogroup";=0A> =0A= > These are used if no mapping is found in the user or group database=0A>= for whatever name is in the RPC on the wire.=0A> =0A> If you want to see= what is happening, I suggest that you capture=0A> packets when you do th= e "chown" (You can use "tcpdump -s 0 -w file.pcap host XXX".)=0A> then lo= ok at them in wireshark.=0A> In wireshark, look for the Setattr RPC and t= hen look in the setable attributes.=0A> You should find Owner which looks= like "nobody@<your.dns.domain> and=0A> Owner_group which looks the same = (or "nogroup@<your.dns.domain>" if you=0A> used nogroup). "nogroup" must = be in your group database (/etc/group or whatever=0A> you use for a group= database) and the number must be consistent across client=0A> and server= .=0A> Also, see what the reply to the Setattr RPC is (it is actually a Co= mpound RPC=0A> labelled "Setattr" for NFSv4).=0A> =0A> If there is no Set= attr RPC, then the mapping is failing in the client.=0A> =0A> If the stuf= f looks correct on the wire, then it is most likely a server side=0A> iss= ue.=0A> =0A> rick=0A> =0A>> I think it's related.=0A>> =0A>> Regards,=0A>= > =0A>> Lo=C3=AFc Blot,=0A>> UNIX Systems, Network and Security Engineer= =0A>> http://www.unix-experience.fr=0A>>; =0A>> 13 octobre 2014 09:15 "Lo= =C3=AFc Blot" <loic.blot@unix-experience.fr> a=0A>> =C3=A9crit:=0A>>> Hi,= =0A>>> of course i have it. On each node:=0A>>> =0A>>> # cat /etc/master.= passwd | grep nobody=0A>>> returns:=0A>>> nobody:*:65534:65534::0:0:Unpri= vileged=0A>>> user:/nonexistent:/usr/sbin/nologin=0A>>> =0A>>> It's why i= do a report here :)=0A>>> =0A>>> Regards,=0A>>> =0A>>> Lo=C3=AFc Blot,= =0A>>> UNIX Systems, Network and Security Engineer=0A>>> http://www.unix-= experience.fr=0A>>> =0A>>> 10 octobre 2014 13:51 "Rick Macklem" <rmacklem= @uoguelph.ca> a=0A>>> =C3=A9crit:=0A>>> =0A>>>> Loic Blot wrote:=0A>>>> = =0A>>>>> Hello @freebsd-fs,=0A>>>>> i'm trying to do jail hosting over NF= Sv4 with ezjail and i'm=0A>>>>> experimenting an issue that i can't resol= ve. When i extract=0A>>>>> base.txz (with ezjail) or i set nobody user on= a file, i have=0A>>>>> this=0A>>>>> error:=0A>>>>> =0A>>>>> chown nobody= :nobody /usr/jails/fulljail/mnt/=0A>>>>> No name and/or group mapping for= uid,gid:(65534,65534)=0A>>>>> chown: /usr/jails/fulljail/mnt/: Operation= not permitted=0A>>>>> =0A>>>>> No problem if i set:=0A>>>>> chown mysql:= nobody /usr/jails/fulljail/mnt/=0A>>>>> =0A>>>>> Problem appears on all f= iles.=0A>>>> =0A>>>> Do you have a user by the name of "nobody" in your p= assword=0A>>>> database?=0A>>>> (NFSv4 uses names and not numbers on the = wire, so no name-->no=0A>>>> mapping=0A>>>> and chown can't be done.)=0A>= >>> =0A>>>> rick=0A>>>> =0A>>>>> On my ZFS+NFSv4 server i do a dataset, e= xported in NFS=0A>>>>> =0A>>>>> /etc/exports:=0A>>>>> V4: /=0A>>>>> =0A>>= >>> zfs get sharenfs pool/jails:=0A>>>>> -network=3D10.99.99.0 -mask=3D25= 5.255.255.0 -maproot=3Droot=0A>>>>> =0A>>>>> nfsuserd and nfsv4_server_en= able=3DYES on both client and server,=0A>>>>> plus=0A>>>>> nfsbcd on clie= nt.=0A>>>>> =0A>>>>> On the client here is the fstab entry=0A>>>>> 10.99.= 99.99:/pool/jails /usr/jails nfs rw,nfsv4 0 0=0A>>>>> =0A>>>>> What i'm d= oing wrong ?=0A>>>>> =0A>>>>> Thanks in advance=0A>>>>> Regards,=0A>>>>> = =0A>>>>> Lo=C3=AFc Blot,=0A>>>>> UNIX Systems, Network and Security Engin= eer=0A>>>>> http://www.unix-experience.fr=0A>>>>>; =0A>> _________________= ______________=0A>> =0A>>>>> =0A>>>>> freebsd-fs@freebsd.org mailing list= =0A>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs=0A>>>>>; To = unsubscribe, send any mail to=0A>>>>> "freebsd-fs-unsubscribe@freebsd.org= "=0A>>> =0A>>> =0A>> _______________________________=0A>> =0A>>> =0A>>> f= reebsd-fs@freebsd.org mailing list=0A>>> http://lists.freebsd.org/mailman= /listinfo/freebsd-fs=0A>>> To unsubscribe, send any mail to=0A>>> "freebs= d-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d6f2ac9a0bdb26429e624f6c1926c5d9>