Kerberised NFSv4 - everyone gets mapped to nobody on file access

Reply: Rick Macklem : "Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andreas Kempe <kempe_at_lysator.liu.se>
Date: Wed, 27 Mar 2024 00:03:50 UTC

Hello everyone,

I have a bit of a head scratcher and need some help. I've configured a
Linux NFS server running on Rocky Linux 8, kernel version 6.8, to act
as a kerberised NFSv4 server.

The server has the following export line

	/tank/beta-testing *.lysator.liu.se(rw,sync,no_wdelay,sec=krb5:krb5p,no_root_squash)

and I can mount the export fine using both krb5 and krb5p. idmap is
running on the Linux server/clients while nfsuserd is running on the
FreeBSD client. I'm using host credentials for the mounts and not user
credentials.

I can mount the share on my Linux clients and everything works as
expected.

On my FreeBSD clients, I have the issue that all users on the client
seem to get mapped to nobody when accessing files. Doing a directory
listing shows correct owners

	kempe@claptrap /mnt> ls -l /mp/diskus/
	total 92
	drwxr-xr-x    2 aoh    aoh        2 feb. 18 22:35 aoh/
	drwxr-xr-x  195 hx     hx       516 juli  1  2018 hx/
	drwx------    3 kempe  kempe      3 mars 27 00:45 kempe/
	drwxr-xr-x  104 octol  lysator  213 maj   6  2022 octol/

and I can see that nfsuserd has loaded the info into the kernel

  15 Mar 26 23:35:40 claptrap nfsuserd:[3097]: Added uid=31490 name=kempe
  16 Mar 26 23:35:40 claptrap nfsuserd:[3096]: Added uid=31490 name=kempe

but if I try to enter the kempe directory, I get a permission denied

	kempe@claptrap /mnt> cd /mp/diskus/kempe
	cd: Permission denied: '/mp/diskus/kempe'

changing permissions on the kempe directory to 777, I can enter it and
create a file

	kempe@claptrap /mnt> cd /mp/diskus/kempe
	kempe@claptrap /m/d/kempe> touch testfile
	kempe@claptrap /m/d/kempe> ls -l
	total 10
	drwxr-xr-x  5 kempe   kempe   88 feb. 19 13:33 bonnie++-2.00a/
	-rw-r--r--  1 nobody  nobody   0 mars 27 00:54 testfile 

but the file is owned by nobody instead of my user kempe.

User credentials are stored in LDAP and resolved through nslcd.

I have tried searching, but this is a difficult one to search for as
most hits relate to everything being owned by nobody on account of
idmapd/nfsuserd not running.

Has anyone seen anything like this or do you have any good suggestions
on where to start looking?

Best regards,
Andreas Kempe