From nobody Sun Jan 28 19:37:48 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TNMCd1g04z599GD for ; Sun, 28 Jan 2024 19:37:49 +0000 (UTC) (envelope-from lexi@le-fay.org) Received: from thyme.eden.le-Fay.ORG (THYME.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:107::10]) by mx1.freebsd.org (Postfix) with ESMTP id 4TNMCc4s1Sz4qnS for ; Sun, 28 Jan 2024 19:37:48 +0000 (UTC) (envelope-from lexi@le-fay.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=le-fay.org header.s=thyme header.b="WvIS/Vxu"; dmarc=none; spf=pass (mx1.freebsd.org: domain of lexi@le-fay.org designates 2001:8b0:aab5:107::10 as permitted sender) smtp.mailfrom=lexi@le-fay.org Received: from iris.eden.le-Fay.ORG (IRIS.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:106::18]) by thyme.eden.le-Fay.ORG (Postfix) with ESMTP id 5E1322A4A4 for ; Sun, 28 Jan 2024 19:37:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=le-fay.org; s=thyme; t=1706470668; bh=8Ksf6JxE7XR7SbSwok/sUCNif90IFdsR4lRP+qDCGz8=; h=Date:From:To:Subject; b=WvIS/Vxus96UlLPDxe0Fzcf+ryynKO9F8UmYpyqL+Ai2MTS5p/7mvEghC3fPwI23M 719GUwm3Cg3THdKFqMu4I/91UAvW68k1ixFEx6RyFcLKEYIkEIvWMvyll/6wU3ZG7+ KHV8kExA7yKIeliV9ePPBROs9xfZ4YwcUbS/oCSs= Received: from ilythia.eden.le-fay.org (ILYTHIA.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:104:3::101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by iris.eden.le-Fay.ORG (Postfix) with ESMTPSA id 468EE86FE for ; Sun, 28 Jan 2024 19:37:48 +0000 (GMT) Date: Sun, 28 Jan 2024 19:37:48 +0000 From: Lexi Winter To: freebsd-questions@freebsd.org Subject: NFSv4, Kerberos and daily Message-ID: Mail-Followup-To: freebsd-questions@freebsd.org List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="R/NuSNXwb1PN/NHC" Content-Disposition: inline X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.50 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[le-fay.org:s=thyme]; R_SPF_ALLOW(-0.20)[+ip6:2001:8b0:aab5:107::10:c]; RCVD_NO_TLS_LAST(0.10)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/32, country:GB]; RCPT_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[le-fay.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DWL_DNSWL_NONE(0.00)[le-fay.org:dkim]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DKIM_TRACE(0.00)[le-fay.org:+] X-Rspamd-Queue-Id: 4TNMCc4s1Sz4qnS --R/NuSNXwb1PN/NHC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline hello, i have a system running FreeBSD 15.0 which has an NFS mount at /data/public from another FreeBSD system running 14.0: hemlock.eden.le-fay.org:/public /data/public nfs rw,nfsv4,minorversion=2,sec=krb5p,gssname=host,bgnow,proto=tcp6,rsize=1048576,wsize=1048576,noncontigwr 0 0 every day, i get an email like this from periodic: > Security check: > > Checking setuid files and devices: > find: /data/public: Input/output error the problem seems to be caused by the fact that periodic runs as root, so find(1) can't stat(2) the filesystem mounted on /data/public to discover it's on a different device: # stat /data/public NFSv4 error WrongSec: You probably need a Kerberos TGT stat: /data/public: Input/output error so my question is: - is there a way to make root's accesses to Kerberized NFS mounts use the host ticket? - is there a way to make the NFS server honour this and map the host ticket to the 'nobody' user (or something like that)? --R/NuSNXwb1PN/NHC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmW2rQkACgkQDHqbqZ41 x5njmAv8DdOgQwQQVaE+92GlOzAliaeuVH9SB7nMgEPTtsqsNJzlP+GIqmSWgMps rYldOMt+8O3Bh16hTMlM67bF7Qd/5zml+WVBmH9KweVW2NnfoqSf2nB83ZMEY+jO RjDNZa6SaWXQnFJ/X7H/ceLBxWOCtcpwQjqEaFeBd7gCNSNGpJ8DsfaVrpeqMEK5 htAP9AjEE+A0l04dtPe5U4bGfX7ZS+B2tRfwFxeQ1smSUzF8EZRWPG713Hleb813 9M0U+Prq5w++X9JoKdLAnDL3vu6/Cm2yDg78Xh8B5tGgQp+uuVSmO1/rEQ62bfhn FFSjIco6bMPt/4r9y2fZw6ATQCFQx/RLfSnPu9iRzfx/bl3IlUa0A465KVlhxO+L jc641kl2xCqsBY398oxrBGAoOVkKY5ma3WCqtH6DgX4mrdQq3uLs1E5/1A7UQuxO 9FuPAOqs6Phidk4fIuM8bD0xy++yvOTAdvgh73nd+2+Ryj+BAWJnrSUamqq0iH4x WReppzei =19ew -----END PGP SIGNATURE----- --R/NuSNXwb1PN/NHC--