mountd segfaults in NFSv4 if -alldirs is present in exports

George Mamalakis mamalos at eng.auth.gr
Fri Feb 19 18:11:39 UTC 2010 

On 19/02/2010 18:24, Rick Macklem wrote:
>
>
> On Fri, 19 Feb 2010, George Mamalakis wrote:
>
>> Hi all,
>>
>> the title explains it all...
>>
>> But ok, let's be a bit more extensive.
>>
>> If I have one line in /etc/exports reading:
>>
>> V4:  /  -alldirs
>>
>> and try to start mountd, it segfaults with signal 11. From the 
>> manpage I read that -alldirs is the "second method" used to export a 
>> filesystem and V4 is the "third", maybe implying that they are 
>> mutually exclusive. Nevertheless, I suppose that mountd shouldn't 
>> segfault in my case, it could just refuse to start giving an error 
>> message or something. I've tried a different /etc/exports containing 
>> a dummy option -dummy instead of -alldirs and mountd won't segfault, 
>> hence there's no problem with its parser.
>>
> The "V4:" line does not export a file system. It only specifies where
> the "root" is for NFSv4 and what clients/security flavours are supported
> for the NFSv4 lock state Ops that aren't associated with any file handle
> is. (There can be multiple V4: lines for different hosts, but they should
> differ in their "-sec" specification and only that.) The file systems
> must still be exported by separate lines, just like NFSv2,3.
>
> It happens that "-alldirs" always applies to NFSv4, since it does
> not use the Mount protocol and can mount anything under the "root"
> that has been exported.
>
> As such, "-sec" plus the ones related to specifying host(s)
> "-network, -mask" are the only ones that should be in the "V4:"
> line(s).
>
> But, of course it shouldn't segfault. I'll put that on my to do
> list.
>
> Thanks for reporting it, rick
>
Yes Rick, I understood that there was something wrong with my syntax but 
I wouldn't expect a segfault, as you already have stated :).

Moreover, this is the problem that I was facing in one of my previous 
emails with the title "Kerberized NFSv3 incorrect behavior". In my last 
email to you I was claiming that mountd segfaults when both NFSD and 
KGSSAPI (along with device crypto) exist in the kernel config file. You 
replied to me that you would have it fixed. Now I understood that the 
problem had nothing to do with KGSSAPI, my problem was my /etc/exports 
file that contained -alldirs in V4 line. So no need to check if there's 
a conflict with KGSSAPI, there isn't :).

Now, two last questions.

question 1)

I want to export my /export directory with -sec=krb5 to my clients, and 
the configuration of my server and client is respectively as follows:

- server:
/etc/exports:
V4: / -sec=krb5
/export

/etc/rc.conf
rpcbind_enable="YES"
mountd_flags="-e"
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
gssd_enable="YES"

KERNEL:
options         NFSD
options         KGSSAPI
device          crypto

-client:
rc.conf:
gssd_enable="YES"
nfsuserd_enable="YES"
nfsclient_enable="YES"
rpcbind_enable="YES"
nfs_client_flags="-n 4"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"

KERNEL:
options         KGSSAPI
device          crypto

As I said, heimdal seems to work fine, all keytabs are where they should 
be, and I don't know how to mount the partition to my client. When I run:

[root at fbsdclient ~]# mount_newnfs -onfsv4,sec=krb5 
filesrv.ee.auth.gr:/export /mnt
nfsv4 err=10016
mount_newnfs: /mnt, : Input/output error

An I/O error I receive if I use opensolaris as a client. The kdc.log 
shows that the clients request the nfs server's ticket 
(2010-02-19T19:56:29 TGS-REQ mamalos at EE.AUTH.GR from IPv4:192.168.100.11 
for nfs/filesrv.ee.auth.gr at EE.AUTH.GR), so things should be working that 
far, but then they refuse to mount the partition.

If I export the partition with sec=sys and try to mount it with sec=sys, 
it works fine.

question 2)
At the end of nfsv4(4) man page (in the BUGS session) it states:

"At this time, there is no recall of delegations for local file system
operations.  As such, delegations should only be enabled for file systems
that are being used soley as NFS export volumes and are not being
accessed via local system calls nor services such as Samba."

Does this mean that if I manage to export my /home filesystem 
eventually, and my mailserver copies the emails to my users' maildirs 
(located in their home folder), or through another nfs mount, or a user 
is connected to his/her account both through nfsv4 and samba, then there 
will be a serious problem?

Should I setup the nfs server in solaris and use bsd/linux nfs4 clients 
instead, to be sure that I will have no corrupted filesystems, etc? Have 
you tried mounting solaris-nfsv4 exported filesystems with the fbsd 
nfsclient and sec>=krb5?

Thanx again for your help and attention.

mamalos

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

More information about the freebsd-stable mailing list