[Bug 256658] ugidfw starts before late mount of nfs causing permissions errors on /var/run/nslcd

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 16 Jun 2021 19:58:16 +0000

            Bug ID: 256658
           Summary: ugidfw starts before late mount of nfs causing
                    permissions errors on /var/run/nslcd
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: bugs_at_FreeBSD.org
          Reporter: dvl_at_FreeBSD.org

This has affect hosts installed with FreeBSD 13 and upgraded from 12 to 13.

A summary of the discovery process appears first, followed by the complicating
factors which colluded to create the problem.

Initial symptom was inability of non-root to use / access Kerberos. With a
valid ticket on your laptop, you could ssh to a host where klist should show no
valid ticket (we ssh'd in via ssh-keys).

$ id dvl
id: dvl: no such user

$ truss id dvl
connect(3,{ AF_UNIX "/var/run/nslcd/nslcd.ctl" },26) ERR#13 'Permission denied'

Permissions on that directory and its contents matched that on 12.x hosts which
did not have this issue.

An IRC guru suggested:

$ sysctl security.mac | grep enabled
security.mac.bsdextended.firstmatch_enabled: 1
security.mac.bsdextended.enabled: 1

Looking at bsdextended_script within /etc/rc.conf led to rules which impose
restrictions upon /usr/home

Let's try: service ugidfw restart

id dvl - now works.

summary of complicating factors:

* /usr/home is mounted by NFS with: 

foo.example.com:/home    /usr/home       nfs    
hard,late,intr,wsize=65536,rsize=65536,port=2049,rw 0 0

* bsdextended_script points to rules which impose restrictions upon /usr/hom

* FreeBSD 12 does not show this issue

* FreeBSD 13 has this issue

* new 13 installs and upgrades from 12 have the same problem

* restating ugidfw after boot solves the issue

* removing hard,late from NFS did not solve the issue

* adding mountlate to the REQUIRES in /etc/rc.d/ugidfw solves the issue

You are receiving this mail because:
You are the assignee for the bug.
Received on Wed Jun 16 2021 - 19:58:16 UTC

Original text of this message