NFSv4 Issue: No write access on mounted share

G

gerberp

Hi,

I try to share a ZFS dataset with NFSv4 in a Samba provisioned AD environment. Mounting the dataset and reading files are working as expected, but I have no write access to the shared dataset. Here are the details of my setup (hope not to miss something relevant):

Domain controller is running jailed on FreeBSD 13.1-RELEASE-p7, Samba 4.13.17.
NFS server is running on a bhyve VM with FreeBSD 13.1-RELEASE, also exports the dataset via SMB, joined to domain.
Windows 10 client running in bhyve VM, joined to domain.
All are running on a host with FreeBSD 13.2-RELEASE-p4, not joined.

I can mount the dataset with NFSv4 on a laptop (FreeBSD 13.2-RELEASE-p4, joined to domain) and with SMB on the Windows client. For NFSv4 I use the Kerberos service included in AD. All working like charm with no issues (Kerberos tickets, DNS, user mapping with winbindd).

Mounting the dataset on laptop:
Code: 
$ ls
mnt
$ mount -t nfs -v -o nfsv4,sec=krb5i,gssname=host <NFS Server>:/home mnt
<NFS Server>:/home on mnt (nfs, nfsv4acls, fsid 02ff003a3a000000)

Stats of the mount:
Code: 
$ id
uid=11000(AD\testuser) gid=10000(AD\domain users) groups=10000(AD\domain users),3001(BUILTIN\users)
$ cd mnt/
$ ls -l
total 1
drwxr-xr-x+ 2 AD\testuser  AD\domain users  2 Nov 24 20:59 testuser
$ getfacl testuser/
# file: testuser/
# owner: AD\testuser
# group: AD\domain users
  user:AD\testuser:rwxpDdaARWcCos:-------:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

Here now the problem:
Code: 
$ pwd
/usr/home/testuser/mnt
$ touch foo
touch: foo: Permission denied

If I ssh into the NFS server and go to the shared directory, I can create and write file without problem:
Code: 
$ ssh AD\\testuser@<NFS Server>
$ cd <shared path>
$ ls -l
total 1
drwxr-xr-x+ 2 AD\testuser  AD\domain users  2 Nov 24 21:03 testuser
$ getfacl testuser/
# file: testuser/
# owner: AD\testuser
# group: AD\domain users
  user:AD\testuser:rwxpDdaARWcCos:-------:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
$ cd testuser/
$ touch foo
$ echo "File contents" > bar
$ ls -l
total 9
-rw-r--r--  1 AD\testuser  AD\domain users  14 Nov 24 21:08 bar
-rw-r--r--  1 AD\testuser  AD\domain users   0 Nov 24 21:08 foo

And the again on the mounted share on the laptop:
Code: 
$ ls -l
total 9
-rw-r--r--  1 AD\testuser  AD\domain users  14 Nov 24 21:08 bar
-rw-r--r--  1 AD\testuser  AD\domain users   0 Nov 24 21:08 foo
$ cat bar
File contents

I cannot modify or delete the files in the testuser folder in the mounted share.

Here are my NFSv4 settings:
Code: 
$ cat /etc/exports
V4: /srv/shares/encrypted -sec=krb5p:krb5i:krb5
$ zfs get sharenfs <shared ZFS dataset>
NAME                   PROPERTY  VALUE                                                                 SOURCE
<shared ZFS dataset>  sharenfs  on,rw@192.168.20.0/24,sec=krb5:krb5p:krb5i,crossmnt,no_subtree_check  local

All machines are on the 192.168.20.0/24 subnet. With the Windows client I can mount, read and write on the shared dataset (especially the files created above).

What I considered for debugging but did not do because of limited resources/time:
  • using another machine to mount the share
  • using another OS to mount the share
  • mounting the share via NFSv4 on the NFS server
I would be very grateful if somebody could provide any hints on debugging approaches for this issue, i.e. which logfiles to check (maybe add some additional logging?), which settings to check, issues with my configuration, etc.

Many thanks and kind regards,
Paul.
 
You must log in or register to reply here.
Back
Top