From owner-freebsd-fs@FreeBSD.ORG Mon Oct 13 13:14:48 2014 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79D191C3 for ; Mon, 13 Oct 2014 13:14:48 +0000 (UTC) Received: from smtp.unix-experience.fr (62-210-206-43.rev.poneytelecom.eu [62.210.206.43]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 36094152 for ; Mon, 13 Oct 2014 13:14:47 +0000 (UTC) Received: from smtp.unix-experience.fr (unknown [192.168.200.21]) by smtp.unix-experience.fr (Postfix) with ESMTP id 68642FF17; Mon, 13 Oct 2014 13:14:44 +0000 (UTC) X-Virus-Scanned: scanned by unix-experience.fr Received: from smtp.unix-experience.fr ([192.168.200.21]) by smtp.unix-experience.fr (smtp.unix-experience.fr [192.168.200.21]) (amavisd-new, port 10024) with ESMTP id lx6eXhobNtTX; Mon, 13 Oct 2014 13:14:42 +0000 (UTC) Received: from mail.unix-experience.fr (unknown [192.168.200.1]) by smtp.unix-experience.fr (Postfix) with ESMTPSA id 43208FF0C; Mon, 13 Oct 2014 13:14:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=unix-experience.fr; s=uxselect; t=1413206082; bh=IIVRktR5j7JyKU85d7ygQApooa/RanOfC0uwyRheAeU=; h=Date:From:Subject:To:Cc:In-Reply-To:References; b=cGgmVbXE8oiSyrMPlONgq24QdbbXA1KnxaZpxGTBmGvMJFwquKVtbtNfBtXh0jHc4 uL5b15DUSe2wVBy5cn8a/hC8HnycIHukBRvfdwKDVDqrgXjZneqcYsl+/YHIpV98AE UaBEKRHIArUc5PFdirZhMHLpczpsRxzOPN8f0Ym0= Mime-Version: 1.0 Date: Mon, 13 Oct 2014 13:14:41 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: Quoted-Printable Message-ID: X-Mailer: RainLoop/1.6.9.161 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" Subject: Re: NFSv4 nobody issue To: "Rick Macklem" In-Reply-To: <1626547992.63435100.1413204182279.JavaMail.root@uoguelph.ca> References: <1626547992.63435100.1413204182279.JavaMail.root@uoguelph.ca> Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2014 13:14:48 -0000 Hi Rick,=0Ano request is done.=0AIn /var/log/messages on the client i hav= e:=0A=0AOct 13 15:10:46 machine kernel: No name and/or group mapping for = uid,gid:(65534,-1)=0A=0AThe FreeBSD kernel refuses to change the owner.= =0A=0ARegards,=0A=0ALo=C3=AFc Blot,=0AUNIX Systems, Network and Security = Engineer=0Ahttp://www.unix-experience.fr=0A=0A13 octobre 2014 14:43 "Rick= Macklem" a =C3=A9crit: =0A> Loic Blot wrote:=0A> = =0A>> Hi,=0A>> i tryed some other things=0A>> =0A>> User nobody (65534)= =0A>> -> chown nobody /usr/jail/test.file =3D> problem=0A>> =0A>> Group n= ogroup (65533)=0A>> -> chown :nogroup /usr/jail/test.file =3D> same probl= em=0A>> =0A>> Group nobody (65534)=0A>> -> chown :nobody /usr/jail/test.f= ile =3D> no problem=0A>> =0A>> Change user nobody UID from 65534 to 65533= =3D> same problem. It's not=0A>> a UID number problem but a name problem= .=0A> =0A> Yes, for NFSv4 it is the names that go in the RPC request and = not the=0A> numbers. However, since there are the numbers in the AUTH_SYS= credential=0A> in the header (unless you are using Kerberized mounts), t= he numbers for=0A> the names need to be consistent between client and ser= ver.=0A> =0A>> Then, user nobody and group nogroup (not the integer value= s) are=0A>> problematic. I looked at nfsuserd.c and i see:=0A>> u_char *d= efaultuser =3D "nobody";=0A>> u_char *defaultgroup =3D "nogroup";=0A> =0A= > These are used if no mapping is found in the user or group database=0A>= for whatever name is in the RPC on the wire.=0A> =0A> If you want to see= what is happening, I suggest that you capture=0A> packets when you do th= e "chown" (You can use "tcpdump -s 0 -w file.pcap host XXX".)=0A> then lo= ok at them in wireshark.=0A> In wireshark, look for the Setattr RPC and t= hen look in the setable attributes.=0A> You should find Owner which looks= like "nobody@ and=0A> Owner_group which looks the same = (or "nogroup@" if you=0A> used nogroup). "nogroup" must = be in your group database (/etc/group or whatever=0A> you use for a group= database) and the number must be consistent across client=0A> and server= .=0A> Also, see what the reply to the Setattr RPC is (it is actually a Co= mpound RPC=0A> labelled "Setattr" for NFSv4).=0A> =0A> If there is no Set= attr RPC, then the mapping is failing in the client.=0A> =0A> If the stuf= f looks correct on the wire, then it is most likely a server side=0A> iss= ue.=0A> =0A> rick=0A> =0A>> I think it's related.=0A>> =0A>> Regards,=0A>= > =0A>> Lo=C3=AFc Blot,=0A>> UNIX Systems, Network and Security Engineer= =0A>> http://www.unix-experience.fr=0A>> =0A>> 13 octobre 2014 09:15 "Lo= =C3=AFc Blot" a=0A>> =C3=A9crit:=0A>>> Hi,= =0A>>> of course i have it. On each node:=0A>>> =0A>>> # cat /etc/master.= passwd | grep nobody=0A>>> returns:=0A>>> nobody:*:65534:65534::0:0:Unpri= vileged=0A>>> user:/nonexistent:/usr/sbin/nologin=0A>>> =0A>>> It's why i= do a report here :)=0A>>> =0A>>> Regards,=0A>>> =0A>>> Lo=C3=AFc Blot,= =0A>>> UNIX Systems, Network and Security Engineer=0A>>> http://www.unix-= experience.fr=0A>>> =0A>>> 10 octobre 2014 13:51 "Rick Macklem" a=0A>>> =C3=A9crit:=0A>>> =0A>>>> Loic Blot wrote:=0A>>>> = =0A>>>>> Hello @freebsd-fs,=0A>>>>> i'm trying to do jail hosting over NF= Sv4 with ezjail and i'm=0A>>>>> experimenting an issue that i can't resol= ve. When i extract=0A>>>>> base.txz (with ezjail) or i set nobody user on= a file, i have=0A>>>>> this=0A>>>>> error:=0A>>>>> =0A>>>>> chown nobody= :nobody /usr/jails/fulljail/mnt/=0A>>>>> No name and/or group mapping for= uid,gid:(65534,65534)=0A>>>>> chown: /usr/jails/fulljail/mnt/: Operation= not permitted=0A>>>>> =0A>>>>> No problem if i set:=0A>>>>> chown mysql:= nobody /usr/jails/fulljail/mnt/=0A>>>>> =0A>>>>> Problem appears on all f= iles.=0A>>>> =0A>>>> Do you have a user by the name of "nobody" in your p= assword=0A>>>> database?=0A>>>> (NFSv4 uses names and not numbers on the = wire, so no name-->no=0A>>>> mapping=0A>>>> and chown can't be done.)=0A>= >>> =0A>>>> rick=0A>>>> =0A>>>>> On my ZFS+NFSv4 server i do a dataset, e= xported in NFS=0A>>>>> =0A>>>>> /etc/exports:=0A>>>>> V4: /=0A>>>>> =0A>>= >>> zfs get sharenfs pool/jails:=0A>>>>> -network=3D10.99.99.0 -mask=3D25= 5.255.255.0 -maproot=3Droot=0A>>>>> =0A>>>>> nfsuserd and nfsv4_server_en= able=3DYES on both client and server,=0A>>>>> plus=0A>>>>> nfsbcd on clie= nt.=0A>>>>> =0A>>>>> On the client here is the fstab entry=0A>>>>> 10.99.= 99.99:/pool/jails /usr/jails nfs rw,nfsv4 0 0=0A>>>>> =0A>>>>> What i'm d= oing wrong ?=0A>>>>> =0A>>>>> Thanks in advance=0A>>>>> Regards,=0A>>>>> = =0A>>>>> Lo=C3=AFc Blot,=0A>>>>> UNIX Systems, Network and Security Engin= eer=0A>>>>> http://www.unix-experience.fr=0A>>>>> =0A>> _________________= ______________=0A>> =0A>>>>> =0A>>>>> freebsd-fs@freebsd.org mailing list= =0A>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs=0A>>>>> To = unsubscribe, send any mail to=0A>>>>> "freebsd-fs-unsubscribe@freebsd.org= "=0A>>> =0A>>> =0A>> _______________________________=0A>> =0A>>> =0A>>> f= reebsd-fs@freebsd.org mailing list=0A>>> http://lists.freebsd.org/mailman= /listinfo/freebsd-fs=0A>>> To unsubscribe, send any mail to=0A>>> "freebs= d-fs-unsubscribe@freebsd.org"