Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access

Reply: Rick Macklem : "Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access"
In reply to: Andreas Kempe : "Kerberised NFSv4 - everyone gets mapped to nobody on file access"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Wed, 27 Mar 2024 00:33:55 UTC

On Tue, Mar 26, 2024 at 5:04 PM Andreas Kempe <kempe@lysator.liu.se> wrote:
>
> Hello everyone,
>
> I have a bit of a head scratcher and need some help. I've configured a
> Linux NFS server running on Rocky Linux 8, kernel version 6.8, to act
> as a kerberised NFSv4 server.
>
> The server has the following export line
>
>         /tank/beta-testing *.lysator.liu.se(rw,sync,no_wdelay,sec=krb5:krb5p,no_root_squash)
>
> and I can mount the export fine using both krb5 and krb5p. idmap is
> running on the Linux server/clients while nfsuserd is running on the
> FreeBSD client. I'm using host credentials for the mounts and not user
> credentials.
>
> I can mount the share on my Linux clients and everything works as
> expected.
>
> On my FreeBSD clients, I have the issue that all users on the client
> seem to get mapped to nobody when accessing files. Doing a directory
> listing shows correct owners
>
>         kempe@claptrap /mnt> ls -l /mp/diskus/
>         total 92
>         drwxr-xr-x    2 aoh    aoh        2 feb. 18 22:35 aoh/
>         drwxr-xr-x  195 hx     hx       516 juli  1  2018 hx/
>         drwx------    3 kempe  kempe      3 mars 27 00:45 kempe/
>         drwxr-xr-x  104 octol  lysator  213 maj   6  2022 octol/
>
> and I can see that nfsuserd has loaded the info into the kernel
>
>   15 Mar 26 23:35:40 claptrap nfsuserd:[3097]: Added uid=31490 name=kempe
>   16 Mar 26 23:35:40 claptrap nfsuserd:[3096]: Added uid=31490 name=kempe
>
> but if I try to enter the kempe directory, I get a permission denied
>
>         kempe@claptrap /mnt> cd /mp/diskus/kempe
>         cd: Permission denied: '/mp/diskus/kempe'
>
> changing permissions on the kempe directory to 777, I can enter it and
> create a file
>
>         kempe@claptrap /mnt> cd /mp/diskus/kempe
>         kempe@claptrap /m/d/kempe> touch testfile
>         kempe@claptrap /m/d/kempe> ls -l
>         total 10
>         drwxr-xr-x  5 kempe   kempe   88 feb. 19 13:33 bonnie++-2.00a/
>         -rw-r--r--  1 nobody  nobody   0 mars 27 00:54 testfile
>
> but the file is owned by nobody instead of my user kempe.
>
> User credentials are stored in LDAP and resolved through nslcd.
>
> I have tried searching, but this is a difficult one to search for as
> most hits relate to everything being owned by nobody on account of
> idmapd/nfsuserd not running.
>
> Has anyone seen anything like this or do you have any good suggestions
> on where to start looking?
Take a look at a packet capture in wireshark.
Check that the @domain part of Owner and Owner_group attributes are
the same and it is not a string of digits.
If the domain is not the same, you can use the -domain command line option
on nfsuserd to set it.
(Since this "domain" is underdefined, I'd suggest only ascii characters and
all alphabetics in lower case.)
If the client sends a string of digits, check to make sure the sysctl
vfs.nfs.enable_uidtostring is set to 0.

rick


>
> Best regards,
> Andreas Kempe
>