From nobody Thu Mar 28 13:09:32 2024 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V53mG4qxnz5FrD5 for ; Thu, 28 Mar 2024 13:09:50 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V53mG0vP5z4ZBw for ; Thu, 28 Mar 2024 13:09:50 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1e0edd0340fso8919385ad.2 for ; Thu, 28 Mar 2024 06:09:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711631388; x=1712236188; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7hNxF8jF1oZUTmXOU6uBOyBMIqDsdgN0ljHx1QJpjUo=; b=Vy9N+WhI74LhviFGJ0uqjntQbZ6VIr+4rihHijRLxGqKz4Ty7HkA5V1RZg5rhViQGH z7ja2XUf3kiQTmyDO4O1SuTE8QLJq/hIXsi0623i7Dl3ZryuWan7N/w3zVyZdL0PDchr LUDFEmwnRdDc6WGx99+zEYsEcAKqShWS7fQvthhmQXfurQBw3WFujAyfct1KqbfeV0HQ fAldrFDmb7oJB+ID5FTZf0k3lUZIpnqURRfllc01r7NjQ3ZDj/Ttk8EndcLq8AkqFmWl JjOftt37gkCMbieD8ZN0cZ7TF9Xb5Q47yD7LMYWnH+TOmnMUFht+V6cONrgQnDu8Cyr0 yejQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711631388; x=1712236188; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7hNxF8jF1oZUTmXOU6uBOyBMIqDsdgN0ljHx1QJpjUo=; b=a0oqgE9Y7/ZRwuFPYEF+rNf6645qwaDbxXwbip2rBbsJw476at/IrNRzoZFfzaFti/ lwO9OCVACuJbpDf6flBzHy+Fjrm/F+0GVrZsW6ikBt7ThSMVvDFreD4LnboSYE4oKDy5 0PUJ5aIBNnrWFoIJr27D1UH6KJHcsYCsntYoetSYfmxCye5rYEGcwkz4r/tXU7pXUUv4 wo+Et5wgxNdm7jLOX8C+v/nLNYpbuvKd9RrMtk+frTpD1xjKap6l6A4e7HZ57BBfX1M8 qxHL+7Ygv3BovqwKjFIXuHD999/wHHhk0ZArJxosoqprVaI3aQ+GWgw0c9+BSFk6/Ib3 966g== X-Gm-Message-State: AOJu0YzNTx+VXbqV96mtr06BpfYQKDm5vXmugLHp3aaELZD6VwpF8L51 ovs64iUpHdSicKh2ebNKN4qPg2LIHMuUVVKRTqFzTB5E9UqSfZZu5Luv6B6/YPBN41K+2iwQdm2 dYVeNznoQHo1fqJ4kw+bGbc1mzYENNfx58w== X-Google-Smtp-Source: AGHT+IHs01MlRU20OgAdq96byb6mcaCU7sMopcWbE+OBqCViJOUqq4hkiCF00MJ9Z6uohnlBKnx1CYixzTPbhq8qaaw= X-Received: by 2002:a17:902:ce02:b0:1e0:dc6e:45d6 with SMTP id k2-20020a170902ce0200b001e0dc6e45d6mr3264105plg.60.1711631388154; Thu, 28 Mar 2024 06:09:48 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Thu, 28 Mar 2024 06:09:32 -0700 Message-ID: Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access To: Andreas Kempe Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4V53mG0vP5z4ZBw On Thu, Mar 28, 2024 at 3:46=E2=80=AFAM Andreas Kempe wrote: > > On Wed, Mar 27, 2024 at 03:20:03PM -0700, Rick Macklem wrote: > > On Wed, Mar 27, 2024 at 10:17=E2=80=AFAM Andreas Kempe wrote: > > > > > > On Tue, Mar 26, 2024 at 05:54:38PM -0700, Rick Macklem wrote: > > > > On Tue, Mar 26, 2024 at 5:33=E2=80=AFPM Rick Macklem wrote: > > > > > > > > > > Take a look at a packet capture in wireshark. > > > > > Check that the @domain part of Owner and Owner_group attributes a= re > > > > > the same and it is not a string of digits. > > > > Oh, and just fyi, you can use tcpdump to capture the packets, somet= hing like: > > > > # tcpdump -s 0 -w out.pcap host > > > > and then you can look at out.pcap whereever it is convenient to > > > > install wireshark. > > > > (I run it on this windows laptop.) > > > > Don't bother to try and look at NFS with tcpdump. It doesn't know h= ow > > > > to decode it. > > > > > > > > > If the domain is not the same, you can use the -domain command li= ne option > > > > > on nfsuserd to set it. > > > > > (Since this "domain" is underdefined, I'd suggest only ascii char= acters and > > > > > all alphabetics in lower case.) > > > > > If the client sends a string of digits, check to make sure the sy= sctl > > > > > vfs.nfs.enable_uidtostring is set to 0. > > > > > > > > > > > I'm using lysator.liu.se as the domain on both client and server. It > > > seems to work since listing files give correct owners. > > > > > > I have dumped the traffic from mounting and creating a file named > > > test file that shows up as owned by nobody. I get the following call > > > made > > > > > > NFS 438 V4 Call (Reply In 131) Open OPEN DH: 0x30a4c0= aa/testfil > > > > > > In the OPEN (18) opcode, owner is set to > > > > > > 0000 af 16 00 00 93 fc 00 00 07 76 0d 00 > > > > > > while the server sets owner to ex. kempe@lysator.liu.se as expected > > > when directory listings are made. > > Doesn't make sense. What does wireshake show you for the Owner > > attribute in the setable attributes of the Open arguments. It should fl= ag > > it as non-UTF8. > > > > I'm afraid I don't really understand how to check this. Wireshark > secifies "owner: " if that says anything. > > > If you email me the pcap.out as an attachment, I'll look at it in wires= hark. > > The out.pcap should include both the Open that creates a file and an > > "ls -l ", so there is a Getattr for the file as well. > > > > I'll send you a capture off-list. Thank you for helping! I looked at the capture. The server is definitely replying "nobody@lysator.liu.se" for both owner and owner_group for the file. You can see it in the reply to Open, Lookup and the Getattr (you need to go down past where it lists the attributes to see what their values are). It does know kempe@lysator.liu.se, since that is reported for owner for the directory. I have no idea why it would do that, but it's a Linux server so??? rick > > > rick > > ps: If that is what is in the Owner field, all I can suggest is that wa= s what > > a getpwnam() returned on the client. Possibly some weirdness with= LDAP. > > (I never use LDAP. Only a local /etc/passwd.) > > > > > > > > vfs.nfs.enable_uidtostring is 0 on the client machine and I am not > > > quite able to make sense of what the 12 bytes in the owner field are > > > supposed to be. They are not the ASCII representation and nither my > > > user's GID and UID that are both 0x7b02. > > > > > > // Andreas Kempe > > >