From nobody Thu Mar 28 10:46:18 2024 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V50Zx1pBJz5FYb4 for ; Thu, 28 Mar 2024 10:46:33 +0000 (UTC) (envelope-from kempe@lysator.liu.se) Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V50Zw2Pb9z4Jm3 for ; Thu, 28 Mar 2024 10:46:32 +0000 (UTC) (envelope-from kempe@lysator.liu.se) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=lysator.liu.se; spf=pass (mx1.freebsd.org: domain of kempe@lysator.liu.se designates 2001:6b0:17:f0a0::3 as permitted sender) smtp.mailfrom=kempe@lysator.liu.se Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 5E62F1300C; Thu, 28 Mar 2024 11:46:19 +0100 (CET) Received: from shipon.lysator.liu.se (shipon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPSA id 44F651300B; Thu, 28 Mar 2024 11:46:19 +0100 (CET) Date: Thu, 28 Mar 2024 11:46:18 +0100 From: Andreas Kempe To: Rick Macklem Cc: freebsd-fs@freebsd.org Subject: Re: Kerberised NFSv4 - everyone gets mapped to nobody on file access Message-ID: References: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Virus-Scanned: ClamAV using ClamSMTP X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.79 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; DMARC_POLICY_ALLOW(-0.50)[lysator.liu.se,none]; R_SPF_ALLOW(-0.20)[+a:mail.lysator.liu.se]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:1653, ipnet:2001:6b0::/32, country:EU]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; TAGGED_RCPT(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-fs@freebsd.org]; FREEMAIL_TO(0.00)[gmail.com] X-Rspamd-Queue-Id: 4V50Zw2Pb9z4Jm3 On Wed, Mar 27, 2024 at 03:20:03PM -0700, Rick Macklem wrote: > On Wed, Mar 27, 2024 at 10:17 AM Andreas Kempe wrote: > > > > On Tue, Mar 26, 2024 at 05:54:38PM -0700, Rick Macklem wrote: > > > On Tue, Mar 26, 2024 at 5:33 PM Rick Macklem wrote: > > > > > > > > Take a look at a packet capture in wireshark. > > > > Check that the @domain part of Owner and Owner_group attributes are > > > > the same and it is not a string of digits. > > > Oh, and just fyi, you can use tcpdump to capture the packets, something like: > > > # tcpdump -s 0 -w out.pcap host > > > and then you can look at out.pcap whereever it is convenient to > > > install wireshark. > > > (I run it on this windows laptop.) > > > Don't bother to try and look at NFS with tcpdump. It doesn't know how > > > to decode it. > > > > > > > If the domain is not the same, you can use the -domain command line option > > > > on nfsuserd to set it. > > > > (Since this "domain" is underdefined, I'd suggest only ascii characters and > > > > all alphabetics in lower case.) > > > > If the client sends a string of digits, check to make sure the sysctl > > > > vfs.nfs.enable_uidtostring is set to 0. > > > > > > > > I'm using lysator.liu.se as the domain on both client and server. It > > seems to work since listing files give correct owners. > > > > I have dumped the traffic from mounting and creating a file named > > test file that shows up as owned by nobody. I get the following call > > made > > > > NFS 438 V4 Call (Reply In 131) Open OPEN DH: 0x30a4c0aa/testfil > > > > In the OPEN (18) opcode, owner is set to > > > > 0000 af 16 00 00 93 fc 00 00 07 76 0d 00 > > > > while the server sets owner to ex. kempe@lysator.liu.se as expected > > when directory listings are made. > Doesn't make sense. What does wireshake show you for the Owner > attribute in the setable attributes of the Open arguments. It should flag > it as non-UTF8. > I'm afraid I don't really understand how to check this. Wireshark secifies "owner: " if that says anything. > If you email me the pcap.out as an attachment, I'll look at it in wireshark. > The out.pcap should include both the Open that creates a file and an > "ls -l ", so there is a Getattr for the file as well. > I'll send you a capture off-list. Thank you for helping! > rick > ps: If that is what is in the Owner field, all I can suggest is that was what > a getpwnam() returned on the client. Possibly some weirdness with LDAP. > (I never use LDAP. Only a local /etc/passwd.) > > > > > vfs.nfs.enable_uidtostring is 0 on the client machine and I am not > > quite able to make sense of what the 12 bytes in the owner field are > > supposed to be. They are not the ASCII representation and nither my > > user's GID and UID that are both 0x7b02. > > > > // Andreas Kempe >