From: Christian Seiler <christian@iwakd.de>
To: Steve Dickson <steved@redhat.com>
Cc: <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] libnfsidmap: respect Nobody-User/Nobody-Group
Date: Wed, 13 Aug 2014 19:45:16 +0200 [thread overview]
Message-ID: <603dd17035c81999c99b9020b65d8768@iwakd.de> (raw)
In-Reply-To: <53EB962C.5000001@RedHat.com>
Hi,
Am 2014-08-13 18:45, schrieb Steve Dickson:
> On 06/03/2014 07:17 AM, Christian Seiler wrote:
>> Previous behavior of libnfsidmap was to do a name lookup of
>> nobody@DEFAULTDOMAIN (for both user and group), which does not match
>> the behavior of rpc.idmapd.
>>
>> This patch makes libnfsidmap respect Nobody-User/Nobody-Group for
>> lookups, thus making the nfsidmap utility properly handle the case
>> if
>> nobody@DEFAULTDOMAIN does not directly map to any user/group on the
>> system.
>>
>> Signed-off-by: Christian Seiler <christian@iwakd.de>
> Wow... This one fell of the radar... sorry about that!
No problem. To be honest, I completely forgot about this patch
myself, because I wrote this patch when I tried to switch from
idmapd to nfsidmap, but after I had some problems with that, I
kind of switched back to idmapd, and then kind of put the whole
thing to the back of my mind.
But perhaps you can give me a couple of pointers on how to
best debug the issue I had with nfsidmap:
- nsswitch translation for idmapping, nss_ldapd
- nfsv4 sec=krb5 mount (mounted via autofs)
- no krb5 ticket: ls doesn't even work (permission denied)
(this is expected, not a bug)
- with krb5 ticket: ls -l shows correct directory contents,
with correct user/group ownership (translation nfs4 ->
uid/gid via nfsidmap and then uid/gid -> local names via
getpwnam works)
- accessing files owned by myself but that are not group/other
readable doesn't work (permission denied)
- writing to files / directories on which I have write
permission (but no other write permission) doesn't work
- nfsv4 sec=sys mounts don't have this problem
To me this appears to be a problem that while uids/gids are
correctly mapped when getting data from the server, they are
not mapped properly when sending requests to the server, so
that it always falls back to nobody, therefore giving me
insufficient permissions.
The problem doesn't occur with rpc.idmapd (and disabled
nfsidmap).
My question would be whether there is an easy way to debug this?
I tried to have a look at the kernel nfs4 client code / the
interaction with idmap, but I just don't know enough about that
area of the kernel to really see through the logic.
> Committed!
Thanks!
Regards,
Christian
next prev parent reply other threads:[~2014-08-13 17:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-03 11:17 [PATCH] libnfsidmap: respect Nobody-User/Nobody-Group Christian Seiler
2014-08-13 16:45 ` Steve Dickson
2014-08-13 17:45 ` Christian Seiler [this message]
2014-08-13 19:09 ` Steve Dickson
2014-08-14 19:37 ` Benjamin Coddington
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=603dd17035c81999c99b9020b65d8768@iwakd.de \
--to=christian@iwakd.de \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).