Solved NFS permissions issue

abishai · Sep 8, 2024

I have NFS share, looks like it almost works, however I have permission issue.

On a server:
/etc/exports

Code:

V4: /srv -sec=krb5i:krb5p

/etc/zfs/exports

Code:

# !!! DO NOT EDIT THIS FILE MANUALLY !!!

/srv/abishai    -sec=krb5i:krb5p
/srv/abishai/darktable    -sec=krb5i:krb5p

ZFS settings

Code:

zdata/abishai/darktable  aclmode               discard                     default
zdata/abishai/darktable  aclinherit            restricted                  default

/etc/rc.conf

Code:

nfs_server_enable=YES
nfs_server_flags="-t"
nfsv4_server_only=YES
nfsuserd_enable="YES"
gssd_enable="YES"

On a client:
/etc/rc.conf

Code:

nfs_client_enable=YES
nfsuserd_enable="YES"
gssd_enable="YES"

Mount command:
mount -o nfsv4,sec=krb5i beta:/abishai/darktable /home/abishai/darktable

My issues are:
1. Client doesn't see permissions.
Server

Code:

# file: /srv/abishai/darktable/
# owner: abishai
# group: abishai
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

Client

Code:

# file: /home/abishai/darktable/
# owner: nobody
# group: nogroup
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

2. When I copy, every file copied returns an error "No name and/or group mapping for uid,guid

1001, 1001). 1001 is me and it exists on both server and client. I can see on server, that files have correct permissions.

I suppose, the issue #2 is consequence of issue #1. Because client can't see correct permissions, it's confused and emits false error. I can't say, kerberized NFS setup is well documented, so maybe I made some mistakes?

T-Daemon · Sep 10, 2024

Try removing (delete or comment) on the NFS server (and also on client)

abishai said:
/etc/rc.conf

Code:

nfsuserd_enable="YES"

reboot system or stop nfsuserd service.

On client, if the NFS share is mount, un-mount, remount.

zirias@ · Sep 10, 2024

T-Daemon for NFSv4, the user mapping daemon is required. There are no longer numerical uid/gid values on the wire like in NFSv3, but the actual names, so that must be translated.

abishai · Friday at 10:47 PM

I've found a mistake in client's hostname =/ It was pointed to wrong domain.

T-Daemon · Saturday at 8:00 AM

zirias@ said:
T-Daemon for NFSv4, the user mapping daemon is required. There are no longer numerical uid/gid values on the wire like in NFSv3, but the actual names, so that must be translated.

Reading the manual again, not in any case. nfsuserd(8) must run for kerberized NFSv4 mounts definitely, but not for non-kerberized, when group ID and user ID are the same on server and client(s) (as it was on my test setup), i.e.:

Code:

 % id abishai
uid=1002(abishai) gid=1002(abishai) groups=1002(abishai)

nfsuserd(8)

Rich (BB code):

DESCRIPTION
     nfsuserd loads user and group information into the kernel for NFSv4.  For
     Kerberized NFSv4 mounts, it must be running on both client(s) and server
     for correct operation.  For non-Kerberized NFSv4 mounts, this daemon must
     be running unless all client(s) plus the server are configured to put
     uid/gid numbers in the owner and owner_group strings.

Obviously I draw the wrong conclusion. I haven't tested on a kerberized NFS server/client setup, assumed wrongly from my setup nfsuserd(8) isn't needed.

Side note: How much I tried, I couldn't get kerberized NFS to work ever (a failure on my part somewhere, but I couldn't figure out where).

On the other hand NFS-over-TLS works flawless (and IMO is much easier to configure).

abishai · Saturday at 1:12 PM

T-Daemon said:
Side note: How much I tried, I couldn't get kerberized NFS to work ever (a failure on my part somewhere, but I couldn't figure out where).

I can write how I did it. I almost configured it by myself. if not a stupid error in client's hostname...

T-Daemon · Saturday at 4:06 PM

abishai said:
I can write how I did it.

Thank you very much, I would like that.

Above all I like to know which kerberos are you using. I had problems with base and security/heimdal. In the end I used security/krb5-121.

zirias@ · Saturday at 5:23 PM

T-Daemon My interpretation of your cited manpage text is that, when NOT using kerberos, you CAN still configure NFS to put (numerical) uids/gids on the wire, although it isn't the default, while as soon as kerberos is used, this is outright impossible. In any case, NFSv4 defaults to putting the usernames there, in which case the mapping is strictly required.

T-Daemon said:
Side note: How much I tried, I couldn't get kerberized NFS to work ever (a failure on my part somewhere, but I couldn't figure out where).

It shouldn't be too hard though... actually, it worked "out of the box" for me, although my KDC is provided by MIT krb5 integrated with samba (I built samba with different port options for that) and then I found out that for NFS, I must use the heimdal in base (which I didn't even build before) ... still they worked flawlessly together.

The only issue I ran into was using a "host-based initiator" to mount, but that wasn't directly related to kerberos I guess but instead to the LDAP directory. I documented my "journey" here btw: https://sekrit.de/webdocs/freebsd/nfs-jail-kerberos-samba.html

T-Daemon said:
On the other hand NFS-over-TLS works flawless (and IMO is much easier to configure).

I personally wouldn't consider that, it seems overly complex ...