Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Oct 2010 23:26:09 GMT
From:      Jeff Strunk <jstrunk@math.utexas.edu>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/151326: nfs exports fail if netgroups contain duplicate entries
Message-ID:  <201010082326.o98NQ9lE039094@www.freebsd.org>
Resent-Message-ID: <201010082330.o98NU6gB085223@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         151326
>Category:       kern
>Synopsis:       nfs exports fail if netgroups contain duplicate entries
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 08 23:30:05 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Jeff Strunk
>Release:        8.1-RELEASE
>Organization:
The University of Texas at Austin Department of Mathematics
>Environment:
FreeBSD thinkmate2.ma.utexas.edu 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
We are setting up a couple of file servers using ZFS to replace our old Debian file servers. We have been using netgroups to allow a group of admin machines to access the files without remapping root to nobody(no_root_squash on linux and -maproot=0 on FreeBSD). All of our machines that access the nfs servers are in the utm netgroup. We use an export line for that netgroup to restrict rw access to our nfs servers.

So, our exports file in FreeBSD looks like(there are more lines, but they all look like these with the filesystem changed):
/thinkmate1     -maproot=0 admin
/thinkmate1     utm 

When mountd is started, it logs:
Oct  8 16:37:21 thinkmate2 mountd[2242]: bad exports list line /thinkmate1      utm

mountd -d shows the following the 2nd time a filesystem is exported:
mountd: can't change attributes for /thinkmate1

When I try to mount /thinkmate1 from an admin machine, it works. Also, root is able to read and write any files. When I try to mount on a non-admin machine, the client reports that it was denied by the server.

If I reverse the exports lines, all hosts in the utm netgroup can access /thinkmate1, but root on admin hosts is mapped to nobody.

I discovered that some hostnames are found in both the admin and utm netgroups. When I took the admin hosts out of the utm netgroup, everything worked. This is not a problem on either Linux or Solaris.
>How-To-Repeat:
1) Create the following files.

/etc/netgroup(replace 4 spaces with tab):
admin \
    (hosta,,domain)

domain \
    (hosta,,domain) \
    (hostb,,domain)

/etc/exports:
/export -maproot=0 admin
/export domain

2) Restart mountd.

3) Try to nfs mount /export from hostb.
>Fix:
The workaround is to clean up duplicate netgroup entries. It looks like each host can only be in one netgroup.

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010082326.o98NQ9lE039094>