Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access

Reply: Rick Macklem : "Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access"
In reply to: Rick Macklem : "Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andreas Kempe <kempe_at_lysator.liu.se>
Date: Thu, 28 Mar 2024 10:46:18 UTC

On Wed, Mar 27, 2024 at 03:20:03PM -0700, Rick Macklem wrote:
> On Wed, Mar 27, 2024 at 10:17 AM Andreas Kempe <kempe@lysator.liu.se> wrote:
> >
> > On Tue, Mar 26, 2024 at 05:54:38PM -0700, Rick Macklem wrote:
> > > On Tue, Mar 26, 2024 at 5:33 PM Rick Macklem <rick.macklem@gmail.com> wrote:
> > > >
> > > > Take a look at a packet capture in wireshark.
> > > > Check that the @domain part of Owner and Owner_group attributes are
> > > > the same and it is not a string of digits.
> > > Oh, and just fyi, you can use tcpdump to capture the packets, something like:
> > > # tcpdump -s 0 -w out.pcap host <nfs-server>
> > > and then you can look at out.pcap whereever it is convenient to
> > > install wireshark.
> > > (I run it on this windows laptop.)
> > > Don't bother to try and look at NFS with tcpdump. It doesn't know how
> > > to decode it.
> > >
> > > > If the domain is not the same, you can use the -domain command line option
> > > > on nfsuserd to set it.
> > > > (Since this "domain" is underdefined, I'd suggest only ascii characters and
> > > > all alphabetics in lower case.)
> > > > If the client sends a string of digits, check to make sure the sysctl
> > > > vfs.nfs.enable_uidtostring is set to 0.
> > > >
> >
> > I'm using lysator.liu.se as the domain on both client and server. It
> > seems to work since listing files give correct owners.
> >
> > I have dumped the traffic from mounting and creating a file named
> > test file that shows up as owned by nobody. I get the following call
> > made
> >
> >         NFS     438     V4 Call (Reply In 131) Open OPEN DH: 0x30a4c0aa/testfil
> >
> > In the OPEN (18) opcode, owner is set to
> >
> >                 0000   af 16 00 00 93 fc 00 00 07 76 0d 00
> >
> > while the server sets owner to ex. kempe@lysator.liu.se as expected
> > when directory listings are made.
> Doesn't make sense. What does wireshake show you for the Owner
> attribute in the setable attributes of the Open arguments. It should flag
> it as non-UTF8.
> 

I'm afraid I don't really understand how to check this. Wireshark
secifies "owner: <DATA>" if that says anything.

> If you email me the pcap.out as an attachment, I'll look at it in wireshark.
> The out.pcap should include both the Open that creates a file and an
> "ls -l <file>", so there is a Getattr for the file as well.
> 

I'll send you a capture off-list. Thank you for helping!

> rick
> ps: If that is what is in the Owner field, all I can suggest is that was what
>       a getpwnam() returned on the client. Possibly some weirdness with LDAP.
>       (I never use LDAP. Only a local /etc/passwd.)
> 
> >
> > vfs.nfs.enable_uidtostring is 0 on the client machine and I am not
> > quite able to make sense of what the 12 bytes in the owner field are
> > supposed to be. They are not the ASCII representation and nither my
> > user's GID and UID that are both 0x7b02.
> >
> > // Andreas Kempe
>