From nobody Thu Jun 02 22:02:32 2022 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 371541B6C936 for ; Thu, 2 Jun 2022 22:02:41 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-YT3-obe.outbound.protection.outlook.com (mail-yt3can01on2085.outbound.protection.outlook.com [40.107.115.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LDg403Smgz4nGW for ; Thu, 2 Jun 2022 22:02:40 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WuLR7NvOlGKQ5sQuN/I/UtxkBbm1PqeGp3xMS7bLpduxqGjbm/Sm5tp4MA5/C1OFE52FzYjnWQKIrsazP4C8gxPJgWmfoCYPZUctCpTb8rQNWPBjQkcsFIp+78Taq0muehk2m9wai2akBvhu4YIwVprvpXzRYrqQYUKbKGcGHphMUc3r1mRBUjmA1miYX82w6mFV4i81QCmPWSTeL5iIRyBpj4CWayrk+yxM8I3iUJPr/ej4KoRlXrZK6WnoxpDWfDE3w0F/53c9QE8U8OZJKQ0ratvvrjVoOO6DpD1ZhExIkSqitnhrsAZBQiQKTY+D+11UXf2fsF0M3hMrw+dkrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NCaBxqhonQlSt/g2PZMBSqCeIRUjFxoZEdU/nyOEJE8=; b=Ai4kJTvXfMOl0zhsUET7P+b4QsOzAc7i4WMRhExIrL2bMA3y91/a7E95TGUTr0nqcJ31AjjibG3IjZWFmV8WktjLxbsWhuqdUxqIgG27Z8djRXjoIMUzJZfpCmL3V38Sa2j4W80CreTLfyCNqxhg83mcX0Ppt+kis0Ccqo99Tmsm5VuSmeFniOJfkm86IAXzc1GgkQQNsDeMQz3EjB3uxUhEReRmSVxdqWIXAc6rZSdAjHAmRMVUtP+bqJI5H5weO2cvftwkRHhPCbA8rE+Gmie8D/xDX8I/FtKMvLpKObpeCXFO+7siQ/+7mI+ryBwN0HAb0KxUHv4xGId+NMYhyw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NCaBxqhonQlSt/g2PZMBSqCeIRUjFxoZEdU/nyOEJE8=; b=NXeMSf0cnWq+qLRh/tInLCx7BOis2mp+CjUvX41iFZ098wHg4lFzH2LSfjtsz9ld5P81GHgZ5SWCAve2q0H4lTDXTnTZIGo8NIl3vC90C6H8Ndzjr/ooIqhSfjLOksxdIvxxGqMprGTMdln6m+E1NQDENJBV5IRozxwkxZ9p2Wr+r0LL8ha6vuEK2hCezIZvo0ePc20A8mJjiSf1t+JbHGFRbT+sdV4hkfJ6r51H+q1pdp6xOsB9c5jijZnYuG/0GF9nZqQ/ABKC23E6oFpfw4prwxPIrgA4Dht6pos8fcr/8IMKrlytlblnkfu47c4drJyjWk4VszaSuVyD1IQTxQ== Received: from YQBPR0101MB9742.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:81::14) by YQXPR01MB2837.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:4e::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5293.16; Thu, 2 Jun 2022 22:02:32 +0000 Received: from YQBPR0101MB9742.CANPRD01.PROD.OUTLOOK.COM ([fe80::b921:251e:4a0b:54fc]) by YQBPR0101MB9742.CANPRD01.PROD.OUTLOOK.COM ([fe80::b921:251e:4a0b:54fc%5]) with mapi id 15.20.5314.013; Thu, 2 Jun 2022 22:02:32 +0000 From: Rick Macklem To: Adonis Peralta , "freebsd-net@freebsd.org" Subject: Re: NFSv4 on MacOS Monterey Thread-Topic: NFSv4 on MacOS Monterey Thread-Index: AQHYdrUFMEphcQAz5kqZ5qUoTw61Oa08fW63gAAomGI= Date: Thu, 2 Jun 2022 22:02:32 +0000 Message-ID: References: <5B070ACE-9ECD-4FAA-A975-C77BE87CEFAA@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: suggested_attachment_session_id: a6e2e264-f547-3df3-c65e-75857d62fbe5 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 38d27b8e-5d41-449c-2d56-08da44e397c9 x-ms-traffictypediagnostic: YQXPR01MB2837:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 23Ji8t7fR5qRIW6NJkSbijZ7YsgQgwwoabNtENNaaskjWBQ2lsE2LkIuiB9Vi4Q6+tEptsYVTEVLK/JeaJa3UqOcdIblLG42Io1/c/09HPRG4fdILrUeI1LF2C9Dea+ElS82vTxMEhkGXkwqYEDcIbo2iZ9cBRWrtdI0q5v9AI9/bhkVM1byIVXVKYLQd+BfIiai20nmy5Y1Y4I3WUgZqEnRkIdaGnPPlFWR7PG24bNKgc2NtO9Qirf4pHIY3nD81ZY27OqvACTArOBFmrcUu9jYIeG8lqf1lboSTujiXlVtaSUzmEtY5x/9e6t0aP+wyIFVheWrQ2j9N4MlkDs9M1B0lo2ru0wgbG6QxrDy/ocii1ofBInNgMHDp/+AuhG28m8zobHhc1y1e8KJGp4k9dMQYSArjYSm2IVyFP6AgBEaVwlfpP0VQ8MnTakWTSwBH+h4Lp/txv/kFprs60mEi3XheKnvNPWL3053xi/FL3utzOcEDakWk7+L/YF+V61E3mwNq67YH1x1mJMwiWjC/Q0pAxKFbFCmW/f0qodhz7MlhsNW9YKDhYUePQMRwqygd3ql+JQwRdsX+te3IYJj2CQ2pZwbmuvqlWbwbg69H8LCY3jIcGqsSVf1ZPdFK+/YlFEy3HL3DS5NELjUx9WQmPge0OFiFT3wfbhZjJBGIQPK8WU641aQKdZk4+R/7wyD2E6z0afgrmsvufEBbSKwgoCBMJyrhJc9e8WVDbC3WStq68QqDXBT6f/f0VXTMTnbgkpVTA4ur3jNR4c6ricgh2eKHLKJ1czzc+XmIKr8gm0= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YQBPR0101MB9742.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(66476007)(66556008)(786003)(64756008)(316002)(66446008)(2940100002)(8676002)(5660300002)(508600001)(122000001)(71200400001)(16799955002)(55016003)(38070700005)(91956017)(6506007)(52536014)(110136005)(966005)(76116006)(86362001)(2906002)(33656002)(38100700002)(186003)(83380400001)(7696005)(9686003)(66946007)(8936002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 2 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?mh/P+X92sJyPNqkb4x+doFj8f8mm4iYUEFLzKfxuQp3IdETkUQ6SJ+Wq90?= =?iso-8859-1?Q?1Z/rEmysXgb9NTMpGHow/0XSI/h7eZUlpfFAi7r2bllIdN2mLSTXsRGrkV?= =?iso-8859-1?Q?cHrbj2HdVkWS5jDD6u45T41PJKr2DnqPgy5YT9UygfJmG+N0hJADJKXqFo?= =?iso-8859-1?Q?BFzq7Oj61vQ77rbzOTFHeH4H818OCSEsdhlNBNwzBD3pl6tUMdq2mYS2jS?= =?iso-8859-1?Q?J+27Z31Afms3dC5s+e4DNRkvlOI/erYJnOVGxS8LE6CFGu4SIcnrMXmCAW?= =?iso-8859-1?Q?1/rqDX64BQMgLQtWyaiCsGkMVPeWTj+09p/1S4ia+2VgtB85ShwxpbKnHB?= =?iso-8859-1?Q?9Zqqf4Qc8/SXh5/vbwcVNHDUKwjIZJ6VeVMDWT/U5QxQv1MoVQz29J10aS?= =?iso-8859-1?Q?n8uQz+GRVT4qQ+ze635hUSpTUSXivZxQX0yMrcB6cp7VBFlFeOUTxTCeyE?= =?iso-8859-1?Q?xbHe8CY6/MkOVtfJqDc76O0jfWh628AtKSpb3Pc5YlHGns/lgtbrG/mgLo?= =?iso-8859-1?Q?WIWnQlUj3S9rk5v8Wq9hON0EIdV1ILjD1N+EYVu/TVbxlxtLFFWl4CDfNl?= =?iso-8859-1?Q?JhaF6TfHRwVCVIfh34I6iZslBbT/ppnfF55boBXgD7H5zmboEgMXRObswR?= =?iso-8859-1?Q?8wbKuLy4S7cfh0/r9q/EhdkDab47bUaftUq9KKy3Vnk871N1oQZ4AWBk1y?= =?iso-8859-1?Q?BZb0aUBTzei2S0K6KZktK38gsLgaO1eyP/HAOmt86BjiMkaIc1xg4dcQJO?= =?iso-8859-1?Q?0CJU0yNMnVDgk3dq7NR2FnkP2Hda7BtxDwJgIXsWljNp7wwC2TBwB8QyS1?= =?iso-8859-1?Q?vHwuk1mwPFzl0wpy86jZW4cCZendQ2gz0OtLS5aqb84nEeFidLLfBW+5Gn?= =?iso-8859-1?Q?VxuCpzxFlTgbf+y+Z7g3mZNVjojHSQEw4SKmNBI5ZrA8Uz5il+EHeViprU?= =?iso-8859-1?Q?Rk1u/OU2WCwYetYbac+CIAFduoJm4xB9YGqPJXsl8/6rQERGk+X1UP9h60?= =?iso-8859-1?Q?DDNdqNO59NFOYxr+ZupX7UJhmyDonPeXdC1uhItv2cnN2+fIp5Zyu9J2xa?= =?iso-8859-1?Q?oMfrupwSvTb68MFLYDO6ClgSyieEaFp/U8DRd3oc5SZnP5bRWk8ee1lC6v?= =?iso-8859-1?Q?MqCm8f6svEfYd6dkiFMRb8UL8BMS+GP3YQ1vvbVV0kceqQM+uY3YCo5kD4?= =?iso-8859-1?Q?FJUCoUC1AxMIsWOfp4Dcc2zuBUkpQsh67I83saWDFvebWrKFZlo2v5qfk0?= =?iso-8859-1?Q?9XV9/SHfPWXE6XTx3Pfn2wskbWsBPi1dozDaCX731mdh8K8+WrEPzBZatE?= =?iso-8859-1?Q?mCqOBIVgavRrLAR5rXr62XkwCcniFeyspCjSunywvgNxi96iX6CB/b5W9F?= =?iso-8859-1?Q?EMyTaSnsSYV5Im39qipPx/UzG/97/Ap6njrEDfIHgbAj7p1eF2EL3f9Wnk?= =?iso-8859-1?Q?whHQdEEgt3CE9O+Qm6w0Az+RGsTCO6pbZsVWTxWDgsJ2ll+Qhy58Nsg3Tm?= =?iso-8859-1?Q?Xvt6wfLLE2pYy+AxhoeUDj1rYE6jgfE35zBgYPqdX4NDrmiMt5kHdVLqSC?= =?iso-8859-1?Q?RBOok4DLHidQFdKQ+veVdAP6e/8zZmm5mPZH1sHOdHlSx3+7SLlCPd1YR7?= =?iso-8859-1?Q?LIMvskee1NcmPUWCODRjJXjJOI07tB7g0pSTZj6hhtvZMpNqIdFb8LV2p5?= =?iso-8859-1?Q?X67ABGmwSU+fGBrRo5QfK8zAvSKI7CCkH/He4Ag0Kg05TLt7jpMkaDjMRV?= =?iso-8859-1?Q?CTLchz/2o+LllzBVsw/8xaQ9VM+/86efVzt78CX0lq01ZxqdfR9QfUZUdO?= =?iso-8859-1?Q?sB3ODVq9FrLGjIXwpXxYth79S4OzCdIbnzJ7Mc8AHRy25l6rx39H0VWbPD?= =?iso-8859-1?Q?QA?= x-ms-exchange-antispam-messagedata-1: zGPYI8cnkUninQ== Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQBPR0101MB9742.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 38d27b8e-5d41-449c-2d56-08da44e397c9 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2022 22:02:32.0999 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: vYMnfj/xRCr3scdxCF9NmeRf3/ePtRzQe+8RiiDFCID/ZgTUwbMMkmBMg3FUdaZ//oQp9bU/GdQbSSfopL13Wg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB2837 X-Rspamd-Queue-Id: 4LDg403Smgz4nGW X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector2 header.b=NXeMSf0c; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=uoguelph.ca; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.115.85 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-6.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector2]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[40.107.115.85:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; MLMMJ_DEST(0.00)[freebsd-net]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.115.85:from] X-ThisMailContainsUnwantedMimeParts: N Rick Macklem wrote:=0A= > Adonis Peralta wrote:=0A= [stuff snipped]=0A= > > OS: FreeBSD 13.1=0A= [more stuff snipped]=0A= =0A= > > RESULTS=0A= > >=0A= > > What I see when I connect via finder is the following:=0A= > >=0A= > > 1. I am able to read/write to the shares since /etc/exports contains th= e -mapall line, yet inspecting a packet > trace shows me:=0A= > >=0A= > > =3D=3D=3D=0A= > > packet #1=0A= > > ---=0A= > > client ip -> server ip Operations (count: 3): PUTFH, ACCESS, GETATTR=0A= > > Opcode: PUTFH (22)=0A= > > Opcode: ACCESS (3), [Check: RD LU MD XT DL XE]=0A= > > Opcode: GETATTR (9)=0A= > >=0A= > > packet #2=0A= > > ---=0A= > > server ip -> client ip Operations (count: 3)=0A= > > Opcode: PUTFH (22)=0A= > > Opcode: ACCESS (3), [NOT Supported: XE], [Access Denied: MD XT DL], [Al= lowed: RD LU]=0A= > > Status: NFS4_OK (0)=0A= > > Supported types (of requested): 0x1f=0A= > > Access rights (of requested): 0x03=0A= > > .... ...1 =3D 0x001 READ: allowed=0A= > > .... ..1. =3D 0x002 LOOKUP: allowed=0A= > > .... .0.. =3D 0x004 MODIFY: *Access Denied*=0A= > > .... 0... =3D 0x008 EXTEND: *Access Denied*=0A= > > ...0 .... =3D 0x010 DELETE: *Access Denied*=0A= > This is saying that the uid for "adonis" on the server does not have writ= e access to the file.=0A= > =0A= > > Opcode: GETATTR (9)=0A= > > =3D=3D=3D=0A= > >=0A= > > Why is MD, XT, DL coming up as Access Denied if I can read/write to the= > share?=0A= > Hmm, not sure. If you were to show all the reply fields for the Getattr, = then > I could probably guess.=0A= > It might be Owner (is it "adonis@rambo.lan"). it could be ACLs. To check = those, you should be able to=0A= > do whatever the Mac OSX equivalent to getfacl is.=0A= I suspect this might be caused by what is called OwnerOverride.=0A= It is a long standing tradition in NFS servers to allow the owner of a=0A= file to read/write the file despite what the file mode/ACL says.=0A= =0A= Why?=0A= Well, because unlike POSIX, NFS servers check permissions on every=0A= Read/Write instead of only upon the POSIX open(2).=0A= Without this, POSIX applications that first open(2) a file and then chmod(2= )=0A= the file to a mode that does not allow further open(2)s of the same type,= =0A= will break badly on NFS mounts. (NFS is not and will never be a POSIX=0A= compliant file system, due to the protocol.)=0A= =0A= This "cheat" of allowing the Owner access regardless, allows most of these= =0A= POSIX programs to work over NFS. (And since the owner of the file=0A= can chmod/Setattr of mode at any time, it is not considered a security hole= .)=0A= =0A= Now, for NFSv4, there is an Open (a form of Windows lock, not a POSIX=0A= open). It should fail for the case where it is not doing a Create and the= =0A= permissions are not allowed. (This check was only added to the FreeBSD=0A= server recently, when it was identified as not doing the check, unlike=0A= Linux and Solaris. However, this check is in 13.1.)=0A= =0A= I can only conjecture that the NFSv4 Open specified Create in this case=0A= and, as such, the check was not applied.=0A= =0A= NFSv4 clients are expected to use the reply to Access to decide whether=0A= or not to permit the POSIX open(2). It appears that the Mac OSX client=0A= may not be doing this?=0A= =0A= rick=0A= =0A= > I have a feeling this is because UID/GID mapping is not happening correct= ly. I can see in the packet trace >that FreeBSD's `nfsd` is sending some cr= edentials as `adonis@rambo.lan`, but MacOS's nfs client is sending uid 501 = and gid 20 for my user in the RPC credentials. I don't see how `nfsd` will = be able to map uid 501, gid 20 to the server's uid and gid and instead I wa= s expecting `adonis@rambo.lan` to be sent for credentials from the client s= ide.=0A= As noted above, with "-mapall" the uid/gids in the RPC header are completel= y ignored.=0A= =0A= > The link below tells me that this is an inherent issue with NFSv4?=0A= > https://dfusion.com.au/wiki/tiki-index.php?page=3DWhy+NFSv4+UID+mapping+b= reaks+with+AUTH_UNIX=0A= >=0A= > 2. Extended attributes don't work at all. Here is the result:=0A= > =3D=3D=3D=0A= > $ cd /Volumes/media=0A= > $ touch test.txt=0A= > $ xattr -w com.example.color blue test.txt=0A= >=0A= > # Result: xattr: [Errno 1] Operation not permitted: 'test.txt' #=0A= > =3D=3D=3D=0A= Yep, as noted above, they aren't supported and will not work. FreeBSD uses = the Linux style extended=0A= attribute model, not the resource fork/subfile one that Mac OSX and Solaris= use.=0A= =0A= rick=0A= =0A= --=0A= Adonis=0A= =0A= =0A= =0A=