Date: Thu, 4 Jul 2013 20:37:07 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Oleg Sharoyko <osharoiko@gmail.com> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 and Kerberos, group permission seem to be ignored Message-ID: <1821939739.2131305.1372984627528.JavaMail.root@uoguelph.ca> In-Reply-To: <CAOSKQLHu8eo6wvDWFrxCZ0fA-tiOh9TpAR7Q%2B7zY9na8=k%2BChA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Oleg Sharoyko wrote: > Hello, > > I have a small server which runs FreeBSD 9.1 and I've is set up as > NFSv4 server with kerberised NFS access. My clients are linux > machines. It almost works as expected (mounting/accessing files) > except for one strange issue: it looks like group permissions on > files > and directories are being ignored. Here's an example: > > Server: > > evendim:~ % id > uid=1001(ols) gid=1001(ols) groups=1001(ols),0(wheel),60000(family) > evendim:~ % ls -l /data/file1 > -rw-rw---- 1 root family 6 4 Jul 18:42 /data/file1 > evendim:~ % cat /data/file1 > test1 > evendim:~ % ls -l /data/file2 > -rw------- 1 ols family 6 4 Jul 18:42 /data/file2 > evendim:~ % cat /data/file2 > test2 > evendim:~ % ls -l /data/file3 > -rw-r--r-- 1 root family 6 4 Jul 18:42 /data/file3 > evendim:~ % cat /data/file3 > test3 > evendim:~ % cat /etc/exports > V4:/ -sec=krb5 > /data -sec=krb5 > Well, here's the code snippet in gssd.c that does the principal/user name to gid list translation. All I can suggest is putting this in a little test program on the server and then running it as "root", to see if it generates the results you would expect. (Btw, NGRPS is defined as 16 in a .h file in /usr/include/rpc. I suspect that should be increased and the code should check for a -1 return from getgrouplist(). However, you don't seem to exceed 16 groups. It also assumes that sizeof(gid_t) == sizeof(int). A little weird and I'm not sure that is true for all arches? Did I remember to mention I wasn't the author of this?;-) if (pw) { int len = NGRPS; int groups[NGRPS]; result->gid = pw->pw_gid; getgrouplist(pw->pw_name, pw->pw_gid, groups, &len); result->gidlist.gidlist_len = len; result->gidlist.gidlist_val = mem_alloc(len * sizeof(int)); memcpy(result->gidlist.gidlist_val, groups, len * sizeof(int)); gssd_verbose_out("gssd_pname_to_uid: mapped" " to uid=%d, gid=%d\n", (int)result->uid, (int)result->gid); } else { > Client: > > sherlock:~ % id > uid=1000(ols) gid=1000(ols) > groups=1000(ols),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),110(bluetooth),113(fuse),116(scanner),118(kismet),60000(family) > sherlock:~ % sudo mount -v -t nfs4 -o sec=krb5 > evendim.sharoyko.net:/data /mnt > mount.nfs4: timeout set for Thu Jul 4 19:52:16 2013 > mount.nfs4: trying text-based options > 'sec=krb5,addr=192.168.1.3,clientaddr=192.168.1.128' > sherlock:~ % ls -l /mnt/file1 > -rw-rw---- 1 root family 6 Jul 4 19:42 /mnt/file1 > sherlock:~ % cat /mnt/file1 > cat: /mnt/file1: Permission denied > sherlock:~ % ls -l /mnt/file2 > -rw------- 1 ols family 6 Jul 4 19:42 /mnt/file2 > sherlock:~ % cat /mnt/file2 > test2 > sherlock:~ % ls -l /mnt/file3 > -rw-r--r-- 1 root family 6 Jul 4 19:42 /mnt/file3 > sherlock:~ % cat /mnt/file3 > test3 > > As you can see file2 is inaccessible while it has group read/write > permissions, user ols belongs to group family on both client and > server and user/group mapping seems to work. /data on the server is a > ZFS filesystem but I've also tried UFS with the same results. I've > also tried ACLs and ACLs for users do work while ACLs for groups > don't > seem to have any effect. Is there something that I'm doing wrong? Is > this an expected behaviour? I will greatly appreciate if you can help > me debugging this issue. I'll quote below captured packets that are > relevant to my attempt to access file1. As you can see access is > clearly denied by server but I don't understand why. > > No. Time Source Destination > Protocol Length Info > 109 5.649608 192.168.1.128 192.168.1.3 NFS > 258 V4 Call (Reply In 110) LOOKUP DH:0x4dcc3776/file1 > > Frame 109: 258 bytes on wire (2064 bits), 258 bytes captured (2064 > bits) > Ethernet II, Src: GemtekTe_f6:cf:a1 (00:26:82:f6:cf:a1), Dst: > Giga-Byt_db:cd:c4 (90:2b:34:db:cd:c4) > Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: > 192.168.1.3 (192.168.1.3) > Transmission Control Protocol, Src Port: 726 (726), Dst Port: nfs > (2049), Seq: 3337, Ack: 3193, Len: 192 > Remote Procedure Call, Type:Call XID:0xba073c52 > Network File System > [Program Version: 4] > [V4 Procedure: COMPOUND (1)] > Tag: <EMPTY> > length: 0 > contents: <EMPTY> > minorversion: 0 > Operations (count: 4) > Opcode: PUTFH (22) > filehandle > length: 28 > [hash (CRC-32): 0x4dcc3776] > decode type as: unknown > filehandle: > 9a7470c6deedeca50a0004000000000037d80a0000000000... > Opcode: LOOKUP (15) > Filename: file1 > length: 5 > contents: file1 > fill bytes: opaque data > Opcode: GETFH (10) > Opcode: GETATTR (9) > GETATTR4args > attr_request > bitmap[0] = 0x0010011a > [5 attributes requested] > mand_attr: FATTR4_TYPE (1) > mand_attr: FATTR4_CHANGE (3) > mand_attr: FATTR4_SIZE (4) > mand_attr: FATTR4_FSID (8) > recc_attr: FATTR4_FILEID (20) > bitmap[1] = 0x0030a23a > [9 attributes requested] > recc_attr: FATTR4_MODE (33) > recc_attr: FATTR4_NUMLINKS (35) > recc_attr: FATTR4_OWNER (36) > recc_attr: FATTR4_OWNER_GROUP (37) > recc_attr: FATTR4_RAWDEV (41) > recc_attr: FATTR4_SPACE_USED (45) > recc_attr: FATTR4_TIME_ACCESS (47) > recc_attr: FATTR4_TIME_METADATA (52) > recc_attr: FATTR4_TIME_MODIFY (53) > [Main Opcode: LOOKUP (15)] > > No. Time Source Destination > Protocol Length Info > 110 5.649870 192.168.1.3 192.168.1.128 NFS > 370 V4 Reply (Call In 109) LOOKUP > > Frame 110: 370 bytes on wire (2960 bits), 370 bytes captured (2960 > bits) > Ethernet II, Src: Giga-Byt_db:cd:c4 (90:2b:34:db:cd:c4), Dst: > GemtekTe_f6:cf:a1 (00:26:82:f6:cf:a1) > Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: > 192.168.1.128 (192.168.1.128) > Transmission Control Protocol, Src Port: nfs (2049), Dst Port: 726 > (726), Seq: 3193, Ack: 3529, Len: 304 > Remote Procedure Call, Type:Reply XID:0xba073c52 > Network File System > [Program Version: 4] > [V4 Procedure: COMPOUND (1)] > Status: NFS4_OK (0) > Tag: <EMPTY> > length: 0 > contents: <EMPTY> > Operations (count: 4) > Opcode: PUTFH (22) > Status: NFS4_OK (0) > Opcode: LOOKUP (15) > Status: NFS4_OK (0) > Opcode: GETFH (10) > Status: NFS4_OK (0) > Filehandle > length: 28 > [hash (CRC-32): 0xc0a4eeb4] > decode type as: unknown > filehandle: > 9a7470c6deedeca50a00ed00000000001bb70d0000000000... > Opcode: GETATTR (9) > Status: NFS4_OK (0) > GETATTR4res > resok4 > obj_attributes > attrmask > bitmap[0] = 0x0010011a > [5 attributes requested] > mand_attr: FATTR4_TYPE (1) > mand_attr: FATTR4_CHANGE (3) > mand_attr: FATTR4_SIZE (4) > mand_attr: FATTR4_FSID (8) > recc_attr: FATTR4_FILEID (20) > bitmap[1] = 0x0030a23a > [9 attributes requested] > recc_attr: FATTR4_MODE (33) > recc_attr: FATTR4_NUMLINKS (35) > recc_attr: FATTR4_OWNER (36) > recc_attr: FATTR4_OWNER_GROUP (37) > recc_attr: FATTR4_RAWDEV (41) > recc_attr: FATTR4_SPACE_USED (45) > recc_attr: FATTR4_TIME_ACCESS (47) > recc_attr: FATTR4_TIME_METADATA (52) > recc_attr: FATTR4_TIME_MODIFY (53) > attr_vals > mand_attr: FATTR4_TYPE (1) > nfs_ftype4: NF4REG (1) > mand_attr: FATTR4_CHANGE (3) > changeid: 96 > mand_attr: FATTR4_SIZE (4) > size: 6 > mand_attr: FATTR4_FSID (8) > fattr4_fsid > fsid4.major: 3329258650 > fsid4.minor: 2783768030 > recc_attr: FATTR4_FILEID (20) > fileid: 237 > recc_attr: FATTR4_MODE (33) > fattr4_mode: 0660 > 000. .... .... .... = Unknown > .... 0... .... .... = not SUID > .... .0.. .... .... = not SGID > .... ..0. .... .... = not save > swapped text > .... ...1 .... .... = Read > permission for owner > .... .... 1... .... = Write > permission for owner > .... .... .0.. .... = no Execute > permission for owner > .... .... ..1. .... = Read > permission for group > .... .... ...1 .... = Write > permission for group > .... .... .... 0... = no Execute > permission for group > .... .... .... .0.. = no Read > permission for others > .... .... .... ..0. = no Write > permission for others > .... .... .... ...0 = no Execute > permission for others > recc_attr: FATTR4_NUMLINKS (35) > numlinks: 1 > recc_attr: FATTR4_OWNER (36) > fattr4_owner: root@id.sharoyko.net > length: 20 > contents: root@id.sharoyko.net > recc_attr: FATTR4_OWNER_GROUP (37) > fattr4_owner_group: > family@id.sharoyko.net > length: 22 > contents: family@id.sharoyko.net > fill bytes: opaque data > recc_attr: FATTR4_RAWDEV (41) > specdata1: 128 > specdata2: 123863040 > recc_attr: FATTR4_SPACE_USED (45) > space_used: 1024 > recc_attr: FATTR4_TIME_ACCESS (47) > seconds: 1372963326 > nseconds: 263434280 > recc_attr: FATTR4_TIME_METADATA (52) > seconds: 1372963379 > nseconds: 804435894 > recc_attr: FATTR4_TIME_MODIFY (53) > seconds: 1372963326 > nseconds: 264422029 > [Main Opcode: LOOKUP (15)] > > No. Time Source Destination > Protocol Length Info > 117 8.456684 192.168.1.128 192.168.1.3 NFS > 322 V4 Call (Reply In 118) OPEN DH:0x4dcc3776/file1 > > Frame 117: 322 bytes on wire (2576 bits), 322 bytes captured (2576 > bits) > Ethernet II, Src: GemtekTe_f6:cf:a1 (00:26:82:f6:cf:a1), Dst: > Giga-Byt_db:cd:c4 (90:2b:34:db:cd:c4) > Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: > 192.168.1.3 (192.168.1.3) > Transmission Control Protocol, Src Port: 726 (726), Dst Port: nfs > (2049), Seq: 3905, Ack: 3697, Len: 256 > Remote Procedure Call, Type:Call XID:0xbd073c52 > Network File System > [Program Version: 4] > [V4 Procedure: COMPOUND (1)] > Tag: <EMPTY> > length: 0 > contents: <EMPTY> > minorversion: 0 > Operations (count: 5) > Opcode: PUTFH (22) > filehandle > length: 28 > [hash (CRC-32): 0x4dcc3776] > decode type as: unknown > filehandle: > 9a7470c6deedeca50a0004000000000037d80a0000000000... > Opcode: OPEN (18) > seqid: 0x00000000 > share_access: OPEN4_SHARE_ACCESS_READ (1) > share_deny: OPEN4_SHARE_DENY_NONE (0) > clientid: 0xcd6cc75124000000 > owner: <DATA> > length: 24 > contents: <DATA> > Open Type: OPEN4_NOCREATE (0) > Claim Type: CLAIM_NULL (0) > Filename: file1 > length: 5 > contents: file1 > fill bytes: opaque data > Opcode: GETFH (10) > Opcode: ACCESS (3), [Check: RD MD XT XE] > Check access: 0x2d > .... ...1 = 0x01 READ: allowed? > .... .1.. = 0x04 MODIFY: allowed? > .... 1... = 0x08 EXTEND: allowed? > ..1. .... = 0x20 EXECUTE: allowed? > Opcode: GETATTR (9) > GETATTR4args > attr_request > bitmap[0] = 0x0010011a > [5 attributes requested] > mand_attr: FATTR4_TYPE (1) > mand_attr: FATTR4_CHANGE (3) > mand_attr: FATTR4_SIZE (4) > mand_attr: FATTR4_FSID (8) > recc_attr: FATTR4_FILEID (20) > bitmap[1] = 0x0030a23a > [9 attributes requested] > recc_attr: FATTR4_MODE (33) > recc_attr: FATTR4_NUMLINKS (35) > recc_attr: FATTR4_OWNER (36) > recc_attr: FATTR4_OWNER_GROUP (37) > recc_attr: FATTR4_RAWDEV (41) > recc_attr: FATTR4_SPACE_USED (45) > recc_attr: FATTR4_TIME_ACCESS (47) > recc_attr: FATTR4_TIME_METADATA (52) > recc_attr: FATTR4_TIME_MODIFY (53) > [Main Opcode: OPEN (18)] > > No. Time Source Destination > Protocol Length Info > 118 8.456811 192.168.1.3 192.168.1.128 NFS > 150 V4 Reply (Call In 117) OPEN Status: NFS4ERR_ACCES > > Frame 118: 150 bytes on wire (1200 bits), 150 bytes captured (1200 > bits) > Ethernet II, Src: Giga-Byt_db:cd:c4 (90:2b:34:db:cd:c4), Dst: > GemtekTe_f6:cf:a1 (00:26:82:f6:cf:a1) > Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: > 192.168.1.128 (192.168.1.128) > Transmission Control Protocol, Src Port: nfs (2049), Dst Port: 726 > (726), Seq: 3697, Ack: 4161, Len: 84 > Remote Procedure Call, Type:Reply XID:0xbd073c52 > Network File System > [Program Version: 4] > [V4 Procedure: COMPOUND (1)] > Status: NFS4ERR_ACCES (13) > Tag: <EMPTY> > length: 0 > contents: <EMPTY> > Operations (count: 2) > Opcode: PUTFH (22) > Status: NFS4_OK (0) > Opcode: OPEN (18) > Status: NFS4ERR_ACCES (13) > [Main Opcode: OPEN (18)] > > Kind regards, > -- > Oleg > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1821939739.2131305.1372984627528.JavaMail.root>