NFSv4 nobody issue

Loïc Blot loic.blot at unix-experience.fr
Mon Oct 13 13:14:48 UTC 2014 

Hi Rick,
no request is done.
In /var/log/messages on the client i have:

Oct 13 15:10:46 machine kernel: No name and/or group mapping for uid,gid:(65534,-1)

The FreeBSD kernel refuses to change the owner.

Regards,

Loïc Blot,
UNIX Systems, Network and Security Engineer
http://www.unix-experience.fr

13 octobre 2014 14:43 "Rick Macklem" <rmacklem at uoguelph.ca> a écrit: 
> Loic Blot wrote:
> 
>> Hi,
>> i tryed some other things
>> 
>> User nobody (65534)
>> -> chown nobody /usr/jail/test.file => problem
>> 
>> Group nogroup (65533)
>> -> chown :nogroup /usr/jail/test.file => same problem
>> 
>> Group nobody (65534)
>> -> chown :nobody /usr/jail/test.file => no problem
>> 
>> Change user nobody UID from 65534 to 65533 => same problem. It's not
>> a UID number problem but a name problem.
> 
> Yes, for NFSv4 it is the names that go in the RPC request and not the
> numbers. However, since there are the numbers in the AUTH_SYS credential
> in the header (unless you are using Kerberized mounts), the numbers for
> the names need to be consistent between client and server.
> 
>> Then, user nobody and group nogroup (not the integer values) are
>> problematic. I looked at nfsuserd.c and i see:
>> u_char *defaultuser = "nobody";
>> u_char *defaultgroup = "nogroup";
> 
> These are used if no mapping is found in the user or group database
> for whatever name is in the RPC on the wire.
> 
> If you want to see what is happening, I suggest that you capture
> packets when you do the "chown" (You can use "tcpdump -s 0 -w file.pcap host XXX".)
> then look at them in wireshark.
> In wireshark, look for the Setattr RPC and then look in the setable attributes.
> You should find Owner which looks like "nobody@<your.dns.domain> and
> Owner_group which looks the same (or "nogroup@<your.dns.domain>" if you
> used nogroup). "nogroup" must be in your group database (/etc/group or whatever
> you use for a group database) and the number must be consistent across client
> and server.
> Also, see what the reply to the Setattr RPC is (it is actually a Compound RPC
> labelled "Setattr" for NFSv4).
> 
> If there is no Setattr RPC, then the mapping is failing in the client.
> 
> If the stuff looks correct on the wire, then it is most likely a server side
> issue.
> 
> rick
> 
>> I think it's related.
>> 
>> Regards,
>> 
>> Loïc Blot,
>> UNIX Systems, Network and Security Engineer
>> http://www.unix-experience.fr
>> 
>> 13 octobre 2014 09:15 "Loïc Blot" <loic.blot at unix-experience.fr> a
>> écrit:
>>> Hi,
>>> of course i have it. On each node:
>>> 
>>> # cat /etc/master.passwd | grep nobody
>>> returns:
>>> nobody:*:65534:65534::0:0:Unprivileged
>>> user:/nonexistent:/usr/sbin/nologin
>>> 
>>> It's why i do a report here :)
>>> 
>>> Regards,
>>> 
>>> Loïc Blot,
>>> UNIX Systems, Network and Security Engineer
>>> http://www.unix-experience.fr
>>> 
>>> 10 octobre 2014 13:51 "Rick Macklem" <rmacklem at uoguelph.ca> a
>>> écrit:
>>> 
>>>> Loic Blot wrote:
>>>> 
>>>>> Hello @freebsd-fs,
>>>>> i'm trying to do jail hosting over NFSv4 with ezjail and i'm
>>>>> experimenting an issue that i can't resolve. When i extract
>>>>> base.txz (with ezjail) or i set nobody user on a file, i have
>>>>> this
>>>>> error:
>>>>> 
>>>>> chown nobody:nobody /usr/jails/fulljail/mnt/
>>>>> No name and/or group mapping for uid,gid:(65534,65534)
>>>>> chown: /usr/jails/fulljail/mnt/: Operation not permitted
>>>>> 
>>>>> No problem if i set:
>>>>> chown mysql:nobody /usr/jails/fulljail/mnt/
>>>>> 
>>>>> Problem appears on all files.
>>>> 
>>>> Do you have a user by the name of "nobody" in your password
>>>> database?
>>>> (NFSv4 uses names and not numbers on the wire, so no name-->no
>>>> mapping
>>>> and chown can't be done.)
>>>> 
>>>> rick
>>>> 
>>>>> On my ZFS+NFSv4 server i do a dataset, exported in NFS
>>>>> 
>>>>> /etc/exports:
>>>>> V4: /
>>>>> 
>>>>> zfs get sharenfs pool/jails:
>>>>> -network=10.99.99.0 -mask=255.255.255.0 -maproot=root
>>>>> 
>>>>> nfsuserd and nfsv4_server_enable=YES on both client and server,
>>>>> plus
>>>>> nfsbcd on client.
>>>>> 
>>>>> On the client here is the fstab entry
>>>>> 10.99.99.99:/pool/jails /usr/jails nfs rw,nfsv4 0 0
>>>>> 
>>>>> What i'm doing wrong ?
>>>>> 
>>>>> Thanks in advance
>>>>> Regards,
>>>>> 
>>>>> Loïc Blot,
>>>>> UNIX Systems, Network and Security Engineer
>>>>> http://www.unix-experience.fr
>>>>> 
>> _______________________________
>> 
>>>>> 
>>>>> freebsd-fs at freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>>>>> To unsubscribe, send any mail to
>>>>> "freebsd-fs-unsubscribe at freebsd.org"
>>> 
>>> 
>> _______________________________
>> 
>>> 
>>> freebsd-fs at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>>> To unsubscribe, send any mail to
>>> "freebsd-fs-unsubscribe at freebsd.org"

More information about the freebsd-fs mailing list