From nobody Thu Jun 02 19:13:42 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id CE4311B494F9 for ; Thu, 2 Jun 2022 19:13:50 +0000 (UTC) (envelope-from donileo@gmail.com) Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LDbKB18lWz3qhR for ; Thu, 2 Jun 2022 19:13:50 +0000 (UTC) (envelope-from donileo@gmail.com) Received: by mail-qv1-xf36.google.com with SMTP id h18so4162569qvj.11 for ; Thu, 02 Jun 2022 12:13:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Ir2b15seQAr5mv61itvIMT0fQSiyH0kV3JU28PuQZyU=; b=oLSkUXmr4baoghUJQjNbSQB8QR2CCAXS+VqnOhhIcNGIzUJ2jr91yLWyZV63aZCIuy NNdzKPWy+KeZB9dn5ck7s4qt0sihudU7h1XjAv66ZKc4qFUbixNVduADENnNufIDclIj teA5EOvmWxq/I3w9OKsWKBWhco2qwsZROCmuVWqGXUXQy/fQLqhYTNbSD3qHNM37wHUN DwFTn4r22Qoe4J555r5gx6SI0DWqIZd/JdFlOeJH1Zi9UqeLbUKZFceOlpT08amTEOoD pJhUhbWYtkeuhsa4cMf5v6uPBohoV5oDKXk5Ezq3GaWOWIfi+41f3bNTDv6Vs4SUlZNZ VILQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Ir2b15seQAr5mv61itvIMT0fQSiyH0kV3JU28PuQZyU=; b=zLj6/VrhD5C11a89IKxk+ZLVWnrDmDBafhnc4YKpsrk+v2gCkv6GUkKibL0ECZlQ5E S8guLdCrb0Or3Pq59IjwxMYjqLbCEjq12uJMu6+5xIc5QsJAm4kphmEhgruEVeNBQhru oyYVvkkZerI5cvr3Su16iTaAHAxk+WnAQSc0RuLfRopSxeUQOrcXDlLDd4cYB3tIqbSd RNXigDgsYO7UGP+Zd+kmYCN7AqWnazKOgzcPhPK0WUdA/ySQeyJzg63T7lYSyVMpEnvJ 4YA9X8eNnIlOBO2tGTRIO6HAQAZHeQBfB16BvtW4/F7L8kxCXFiqngie2sjc71qd4rA+ u2uA== X-Gm-Message-State: AOAM530I6ZwiqObmEi3P/UBNyYrf20aaCE2KOZbVnn52KXe4PF5pSdij q90AlUOcrZ6Om6X6GkxtDn9kq6m4s9uWiA== X-Google-Smtp-Source: ABdhPJxGKpMvOc3I/M0YPUjhkEuzkiQUibW8tNfShecCXVwAR5afpLf1pi4Wcrh8ZLlB8OBd8Xn3LQ== X-Received: by 2002:a05:6214:242d:b0:462:65b9:9392 with SMTP id gy13-20020a056214242d00b0046265b99392mr4517597qvb.63.1654197223180; Thu, 02 Jun 2022 12:13:43 -0700 (PDT) Received: from [192.168.1.4] (pool-70-21-209-78.nwrk.east.verizon.net. [70.21.209.78]) by smtp.gmail.com with ESMTPSA id n79-20020a374052000000b0069fc13ce23dsm3754883qka.110.2022.06.02.12.13.42 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Jun 2022 12:13:42 -0700 (PDT) From: Adonis Peralta To: freebsd-net@freebsd.org Subject: NFSv4 on MacOS Monterey Date: Thu, 02 Jun 2022 15:13:42 -0400 X-Mailer: MailMate (1.14r5898) Message-ID: <5B070ACE-9ECD-4FAA-A975-C77BE87CEFAA@gmail.com> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4LDbKB18lWz3qhR X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=oLSkUXmr; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of donileo@gmail.com designates 2607:f8b0:4864:20::f36 as permitted sender) smtp.mailfrom=donileo@gmail.com X-Spamd-Result: default: False [-1.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; R_MISSING_CHARSET(2.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RECEIVED_SPAMHAUS_PBL(0.00)[70.21.209.78:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f36:from]; MLMMJ_DEST(0.00)[freebsd-net]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N I have some NFSv4 (sec=3Dsys) shares on FreeBSD 13.1 which I'm trying to = connect correctly with MacOS 12.4 Monterey. I got the basics down but don't think I have permissions and extended att= ributes working correctly. My configuration is as follows: SERVER CONFIGURATION OS: FreeBSD 13.1 =3D=3D=3D /etc/rc.conf # NFS Configuration nfs_server_enable=3D"YES" nfs_server_flags=3D"-u -t -n 4" mountd_enable=3D"YES" ### mountd_flags=3D"-R" ### rpcbind_enable=3D"YES" ### rpc_lockd_enable=3D"YES" ### rpc_statd_enable=3D"YES" # Enable NFSv4 nfsv4_server_enable=3D"YES" nfsv4_server_only=3D"YES" nfsuserd_enable=3D"YES" nfsuserd_flags=3D"-domain rambo.lan" =3D=3D=3D =3D=3D=3D /etc/exports # Exports Configuration /drivepool/backups -alldirs -mapall=3Dadonis:wheel /drivepool/media -alldirs -mapall=3Dadonis:wheel /drivepool/home/adonis -alldirs -mapall=3Dadonis:wheel /drivepool/public -mapall=3Dadonis:wheel V4: /drivepool adonis-mbp adonis-pc =3D=3D=3D =3D=3D=3D /etc/sysctl.conf # Asks nfsd to convert remote uids/gid encoded as numeric strings to be m= apped to an actual uid/gid vfs.nfsd.enable_stringtouid=3D1 # Applies to both nfs server and client. Asks client/server to send numer= ic strings for uid/gid. ### vfs.nfs.enable_uidtostring=3D0 vfs.nfsd.debuglevel=3D3 =3D=3D=3D The directories above are hosted on ZFS and nfs4 acls support is turned o= n. CLIENT CONFIGURATION OS: MacOS 12.4 Monterey =3D=3D=3D nfs.client.mount.options=3Dvers=3D4.0,intr,namedattr nfs.client.default_nfs4domain =3D rambo.lan =3D=3D=3D Note: above I'm using namedattr to try to get the client to connect with = named attributes support. RESULTS What I see when I connect via finder is the following: 1. I am able to read/write to the shares since /etc/exports contains the = -mapall line, yet inspecting a packet trace shows me: =3D=3D=3D packet #1 --- client ip -> server ip Operations (count: 3): PUTFH, ACCESS, GETATTR Opcode: PUTFH (22) Opcode: ACCESS (3), [Check: RD LU MD XT DL XE] Opcode: GETATTR (9) packet #2 --- server ip -> client ip Operations (count: 3) Opcode: PUTFH (22) Opcode: ACCESS (3), [NOT Supported: XE], [Access Denied: MD XT DL], [Allo= wed: RD LU] Status: NFS4_OK (0) Supported types (of requested): 0x1f Access rights (of requested): 0x03 .... ...1 =3D 0x001 READ: allowed .... ..1. =3D 0x002 LOOKUP: allowed .... .0.. =3D 0x004 MODIFY: *Access Denied* .... 0... =3D 0x008 EXTEND: *Access Denied* ...0 .... =3D 0x010 DELETE: *Access Denied* Opcode: GETATTR (9) =3D=3D=3D Why is MD, XT, DL coming up as Access Denied if I can read/write to the s= hare? I have a feeling this is because UID/GID mapping is not happening correct= ly. I can see in the packet trace that FreeBSD's `nfsd` is sending some c= redentials as `adonis@rambo.lan`, but MacOS's nfs client is sending uid 5= 01 and gid 20 for my user in the RPC credentials. I don't see how `nfsd` = will be able to map uid 501, gid 20 to the server's uid and gid and inste= ad I was expecting `adonis@rambo.lan` to be sent for credentials from the= client side. The link below tells me that this is an inherent issue with NFSv4? https://dfusion.com.au/wiki/tiki-index.php?page=3DWhy+NFSv4+UID+mapping+b= reaks+with+AUTH_UNIX 2. Extended attributes don't work at all. Here is the result: =3D=3D=3D $ cd /Volumes/media $ touch test.txt $ xattr -w com.example.color blue test.txt # Result: xattr: [Errno 1] Operation not permitted: 'test.txt' # =3D=3D=3D -- = Adonis