Date: Mon, 13 Oct 2014 15:24:40 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: =?utf-8?B?TG/Dr2M=?= Blot <loic.blot@unix-experience.fr> Cc: freebsd-fs@freebsd.org Subject: Re: NFSv4 nobody issue Message-ID: <1003039765.63581639.1413228280410.JavaMail.root@uoguelph.ca> In-Reply-To: <d6f2ac9a0bdb26429e624f6c1926c5d9@mail.unix-experience.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Loic Blot wrote:
> Hi Rick,
> no request is done.
> In /var/log/messages on the client i have:
>=20
> Oct 13 15:10:46 machine kernel: No name and/or group mapping for
> uid,gid:(65534,-1)
>=20
> The FreeBSD kernel refuses to change the owner.
>=20
Ok, I took a look and it is a restriction enforced by the server.
If you want it to work, you need to comment out these lines in
sys/fs/nfsserver/nfs_nfsdsubs.c:
if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_defaultuid)
1547 =09|| (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_defaultgid))=
{
1548 =09error =3D NFSERR_BADOWNER;
1549 =09goto out;
1550 =09}
(Line#s 1546->1550 in head.)
It is done because some clients try to set the owner when there is no
valid mapping by sending "nobody@<your.dns.domain>" to the server.
Unfortunately for you "nobody" is the traditional name for "no mapping".
For example, if "chown rick <file>" was done on a client where "rick"
is not in the client's passwd database, some clients will send "nobody@<you=
r.dns.domain>"
and the above code makes sure that doesn't work.
So, if you want this to work, comment out the above lines in your NFSv4 ser=
ver's
kernel.
rick
> Regards,
>=20
> Lo=C3=AFc Blot,
> UNIX Systems, Network and Security Engineer
> http://www.unix-experience.fr
>=20
> 13 octobre 2014 14:43 "Rick Macklem" <rmacklem@uoguelph.ca> a =C3=A9crit:
> > Loic Blot wrote:
> >=20
> >> Hi,
> >> i tryed some other things
> >>=20
> >> User nobody (65534)
> >> -> chown nobody /usr/jail/test.file =3D> problem
> >>=20
> >> Group nogroup (65533)
> >> -> chown :nogroup /usr/jail/test.file =3D> same problem
> >>=20
> >> Group nobody (65534)
> >> -> chown :nobody /usr/jail/test.file =3D> no problem
> >>=20
> >> Change user nobody UID from 65534 to 65533 =3D> same problem. It's
> >> not
> >> a UID number problem but a name problem.
> >=20
> > Yes, for NFSv4 it is the names that go in the RPC request and not
> > the
> > numbers. However, since there are the numbers in the AUTH_SYS
> > credential
> > in the header (unless you are using Kerberized mounts), the numbers
> > for
> > the names need to be consistent between client and server.
> >=20
> >> Then, user nobody and group nogroup (not the integer values) are
> >> problematic. I looked at nfsuserd.c and i see:
> >> u_char *defaultuser =3D "nobody";
> >> u_char *defaultgroup =3D "nogroup";
> >=20
> > These are used if no mapping is found in the user or group database
> > for whatever name is in the RPC on the wire.
> >=20
> > If you want to see what is happening, I suggest that you capture
> > packets when you do the "chown" (You can use "tcpdump -s 0 -w
> > file.pcap host XXX".)
> > then look at them in wireshark.
> > In wireshark, look for the Setattr RPC and then look in the setable
> > attributes.
> > You should find Owner which looks like "nobody@<your.dns.domain>
> > and
> > Owner_group which looks the same (or "nogroup@<your.dns.domain>" if
> > you
> > used nogroup). "nogroup" must be in your group database (/etc/group
> > or whatever
> > you use for a group database) and the number must be consistent
> > across client
> > and server.
> > Also, see what the reply to the Setattr RPC is (it is actually a
> > Compound RPC
> > labelled "Setattr" for NFSv4).
> >=20
> > If there is no Setattr RPC, then the mapping is failing in the
> > client.
> >=20
> > If the stuff looks correct on the wire, then it is most likely a
> > server side
> > issue.
> >=20
> > rick
> >=20
> >> I think it's related.
> >>=20
> >> Regards,
> >>=20
> >> Lo=C3=AFc Blot,
> >> UNIX Systems, Network and Security Engineer
> >> http://www.unix-experience.fr
> >>=20
> >> 13 octobre 2014 09:15 "Lo=C3=AFc Blot" <loic.blot@unix-experience.fr> =
a
> >> =C3=A9crit:
> >>> Hi,
> >>> of course i have it. On each node:
> >>>=20
> >>> # cat /etc/master.passwd | grep nobody
> >>> returns:
> >>> nobody:*:65534:65534::0:0:Unprivileged
> >>> user:/nonexistent:/usr/sbin/nologin
> >>>=20
> >>> It's why i do a report here :)
> >>>=20
> >>> Regards,
> >>>=20
> >>> Lo=C3=AFc Blot,
> >>> UNIX Systems, Network and Security Engineer
> >>> http://www.unix-experience.fr
> >>>=20
> >>> 10 octobre 2014 13:51 "Rick Macklem" <rmacklem@uoguelph.ca> a
> >>> =C3=A9crit:
> >>>=20
> >>>> Loic Blot wrote:
> >>>>=20
> >>>>> Hello @freebsd-fs,
> >>>>> i'm trying to do jail hosting over NFSv4 with ezjail and i'm
> >>>>> experimenting an issue that i can't resolve. When i extract
> >>>>> base.txz (with ezjail) or i set nobody user on a file, i have
> >>>>> this
> >>>>> error:
> >>>>>=20
> >>>>> chown nobody:nobody /usr/jails/fulljail/mnt/
> >>>>> No name and/or group mapping for uid,gid:(65534,65534)
> >>>>> chown: /usr/jails/fulljail/mnt/: Operation not permitted
> >>>>>=20
> >>>>> No problem if i set:
> >>>>> chown mysql:nobody /usr/jails/fulljail/mnt/
> >>>>>=20
> >>>>> Problem appears on all files.
> >>>>=20
> >>>> Do you have a user by the name of "nobody" in your password
> >>>> database?
> >>>> (NFSv4 uses names and not numbers on the wire, so no name-->no
> >>>> mapping
> >>>> and chown can't be done.)
> >>>>=20
> >>>> rick
> >>>>=20
> >>>>> On my ZFS+NFSv4 server i do a dataset, exported in NFS
> >>>>>=20
> >>>>> /etc/exports:
> >>>>> V4: /
> >>>>>=20
> >>>>> zfs get sharenfs pool/jails:
> >>>>> -network=3D10.99.99.0 -mask=3D255.255.255.0 -maproot=3Droot
> >>>>>=20
> >>>>> nfsuserd and nfsv4_server_enable=3DYES on both client and server,
> >>>>> plus
> >>>>> nfsbcd on client.
> >>>>>=20
> >>>>> On the client here is the fstab entry
> >>>>> 10.99.99.99:/pool/jails /usr/jails nfs rw,nfsv4 0 0
> >>>>>=20
> >>>>> What i'm doing wrong ?
> >>>>>=20
> >>>>> Thanks in advance
> >>>>> Regards,
> >>>>>=20
> >>>>> Lo=C3=AFc Blot,
> >>>>> UNIX Systems, Network and Security Engineer
> >>>>> http://www.unix-experience.fr
> >>>>>=20
> >> _______________________________
> >>=20
> >>>>>=20
> >>>>> freebsd-fs@freebsd.org mailing list
> >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> >>>>> To unsubscribe, send any mail to
> >>>>> "freebsd-fs-unsubscribe@freebsd.org"
> >>>=20
> >>>=20
> >> _______________________________
> >>=20
> >>>=20
> >>> freebsd-fs@freebsd.org mailing list
> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> >>> To unsubscribe, send any mail to
> >>> "freebsd-fs-unsubscribe@freebsd.org"
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1003039765.63581639.1413228280410.JavaMail.root>