Date: Mon, 13 Oct 2014 08:43:02 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: =?utf-8?B?TG/Dr2M=?= Blot <loic.blot@unix-experience.fr> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 nobody issue Message-ID: <1626547992.63435100.1413204182279.JavaMail.root@uoguelph.ca> In-Reply-To: <1ffeae65b7b297266ee2d59dc0289d07@mail.unix-experience.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Loic Blot wrote: > Hi, > i tryed some other things >=20 > User nobody (65534) > -> chown nobody /usr/jail/test.file =3D> problem >=20 > Group nogroup (65533) > -> chown :nogroup /usr/jail/test.file =3D> same problem >=20 > Group nobody (65534) > -> chown :nobody /usr/jail/test.file =3D> no problem >=20 > Change user nobody UID from 65534 to 65533 =3D> same problem. It's not > a UID number problem but a name problem. >=20 Yes, for NFSv4 it is the names that go in the RPC request and not the numbers. However, since there are the numbers in the AUTH_SYS credential in the header (unless you are using Kerberized mounts), the numbers for the names need to be consistent between client and server. > Then, user nobody and group nogroup (not the integer values) are > problematic. I looked at nfsuserd.c and i see: > u_char *defaultuser =3D "nobody"; > u_char *defaultgroup =3D "nogroup"; >=20 These are used if no mapping is found in the user or group database for whatever name is in the RPC on the wire. If you want to see what is happening, I suggest that you capture packets when you do the "chown" (You can use "tcpdump -s 0 -w file.pcap hos= t XXX".) then look at them in wireshark. In wireshark, look for the Setattr RPC and then look in the setable attribu= tes. You should find Owner which looks like "nobody@<your.dns.domain> and Owner_group which looks the same (or "nogroup@<your.dns.domain>" if you used nogroup). "nogroup" must be in your group database (/etc/group or what= ever you use for a group database) and the number must be consistent across clie= nt and server. Also, see what the reply to the Setattr RPC is (it is actually a Compound R= PC labelled "Setattr" for NFSv4). If there is no Setattr RPC, then the mapping is failing in the client. If the stuff looks correct on the wire, then it is most likely a server sid= e issue. rick > I think it's related. >=20 > Regards, >=20 > Lo=C3=AFc Blot, > UNIX Systems, Network and Security Engineer > http://www.unix-experience.fr >=20 > 13 octobre 2014 09:15 "Lo=C3=AFc Blot" <loic.blot@unix-experience.fr> a > =C3=A9crit: > > Hi, > > of course i have it. On each node: > >=20 > > # cat /etc/master.passwd | grep nobody > > returns: > > nobody:*:65534:65534::0:0:Unprivileged > > user:/nonexistent:/usr/sbin/nologin > >=20 > > It's why i do a report here :) > >=20 > > Regards, > >=20 > > Lo=C3=AFc Blot, > > UNIX Systems, Network and Security Engineer > > http://www.unix-experience.fr > >=20 > > 10 octobre 2014 13:51 "Rick Macklem" <rmacklem@uoguelph.ca> a > > =C3=A9crit: > >=20 > >> Loic Blot wrote: > >>=20 > >>> Hello @freebsd-fs, > >>> i'm trying to do jail hosting over NFSv4 with ezjail and i'm > >>> experimenting an issue that i can't resolve. When i extract > >>> base.txz (with ezjail) or i set nobody user on a file, i have > >>> this > >>> error: > >>>=20 > >>> chown nobody:nobody /usr/jails/fulljail/mnt/ > >>> No name and/or group mapping for uid,gid:(65534,65534) > >>> chown: /usr/jails/fulljail/mnt/: Operation not permitted > >>>=20 > >>> No problem if i set: > >>> chown mysql:nobody /usr/jails/fulljail/mnt/ > >>>=20 > >>> Problem appears on all files. > >>=20 > >> Do you have a user by the name of "nobody" in your password > >> database? > >> (NFSv4 uses names and not numbers on the wire, so no name-->no > >> mapping > >> and chown can't be done.) > >>=20 > >> rick > >>=20 > >>> On my ZFS+NFSv4 server i do a dataset, exported in NFS > >>>=20 > >>> /etc/exports: > >>> V4: / > >>>=20 > >>> zfs get sharenfs pool/jails: > >>> -network=3D10.99.99.0 -mask=3D255.255.255.0 -maproot=3Droot > >>>=20 > >>> nfsuserd and nfsv4_server_enable=3DYES on both client and server, > >>> plus > >>> nfsbcd on client. > >>>=20 > >>> On the client here is the fstab entry > >>> 10.99.99.99:/pool/jails /usr/jails nfs rw,nfsv4 0 0 > >>>=20 > >>> What i'm doing wrong ? > >>>=20 > >>> Thanks in advance > >>> Regards, > >>>=20 > >>> Lo=C3=AFc Blot, > >>> UNIX Systems, Network and Security Engineer > >>> http://www.unix-experience.fr > >>> _______________________________ > >>>=20 > >>> freebsd-fs@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs > >>> To unsubscribe, send any mail to > >>> "freebsd-fs-unsubscribe@freebsd.org" > >=20 > > _______________________________ > >=20 > > freebsd-fs@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > To unsubscribe, send any mail to > > "freebsd-fs-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1626547992.63435100.1413204182279.JavaMail.root>