NFSV4 share on ZFS using sys authentication

spring_64 · Feb 19, 2017

Hi all,
I have a zfs-based server(FreeBSD 11) and I want use NFSv4 on it. I used access list on shared folder and set permission on them, but clients that have write permission can't write on the share.

my export file is:

Code:

/pool/share1 -sec=sys -network 0.0.0.0 -mask 0.0.0.0
V4: /pool

I added a user named test on both client and server(their UIDs are different).

The file permission is:

Code:

#getfacl /pool/share1
# file: /pool/share1
# owner: root
# group: wheel
       user:test:rwxp----------:-------:allow

/etc/rc.conf on server is:

Code:

nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4"
rpcbind_enable="YES"
mountd_flags="-r"
mountd_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

nfsv4_server_enable="YES"
nfsuserd_enable="YES"

etc/rc.conf on client is:

Code:

nfsuserd_enable="YES"
nfscbd_enable="YES"
hostid_enable="NO"

The mount command on client is:

Code:

mount_nfs -o nfsv4,sec=sys x.x.x.x:/ mnt/

My problem is:
I have not write permission on share1.

RM. · Feb 20, 2017

does "normal" ID Mapping (nfsuserd) between server and client work?

You can check it, if you change the owner of a file on the server to name x and afterwards check if the same name is listed as the owner of the file on the client filesystem. (both users must exist on both systems)

spring_64 · Feb 22, 2017

RM. said:
does "normal" ID Mapping (nfsuserd) between server and client work?

Thanks for your response,
When the uid of a user in client is as same as the uid of that user in server, it does't have any problem. But when uids are different the share become readable.

gkontos · Feb 22, 2017

It is pretty much the expected behavior if you use sec=sys. For more information have a look here.

RM. · Feb 22, 2017

spring_64 said:
Thanks for your response,
When the uid of a user in client is as same as the uid of that user in server, it does't have any problem. But when uids are different the share become readable.

NFSv4 doesn't transmit the uid. In NFSv4 the owner is transmitted as <username>@<domainname>. This requires the uid<->name mapping, which is done on server- and clientside ( nfsuserd in FreeBSD, rpc.idmapd in Debian). The benefit is, that you don't need matching uid's/gid's between server and clients anymore.

Serverside (nfsuserd): UID on server ---> Owner/ Domain (= max@example.org)

NFSv4 transport: the owner of file 'xyz' is "max@example.org"

Clientside: max@example.org --> UID on client

gkontos · Feb 22, 2017

RM. said:
NFSv4 doesn't transmit the uid. In NFSv4 the owner is transmitted as <username>@<domainname>. This requires the uid<->name mapping, which is done on server- and clientside ( nfsuserd in FreeBSD, rpc.idmapd in Debian). The benefit is, that you don't need matching uid's/gid's between server and clients anymore.

Serverside (nfsuserd): UID on server ---> Owner/ Domain (= max@example.org)

NFSv4 transport: the owner of file 'xyz' is "max@example.org"

Clientside: max@example.org --> UID on client

You still need some sort of authentication. Kerberos is the most used.

RM. · Feb 24, 2017

gkontos said:
You still need some sort of authentication. Kerberos is the most used.

not at all. if you use

Code:

sec=sys

you can map "max@example.org" to whatever you want and it work's. so you don't need a real authentication like KERBEROS.

gkontos · Feb 24, 2017

RM. said:
not at all. if you use

Code:

sec=sys

you can map "max@example.org" to whatever you want and it work's. so you don't need a real authentication like KERBEROS.

That way you need to match the UID's on both the server and the client.

spring_64 · Feb 25, 2017

Thanks all for their useful responses.

RM. said:
you can map "max@example.org" to whatever you want

How should I map "max@example.org" to ...?
I know nfsuserd do this, but I can't found config file.

gkontos said:
That way you need to match the UID's on both the server and the client.

Is this work without matching UID's on both the server and the client?

RM. · Mar 1, 2017

gkontos said:
That way you need to match the UID's on both the server and the client.

Why you should need matching uids between server and client?

In NFSv4 it's unrelevant, you only need the same username/groupname on client and server. The UIDs of the usernames/groupnames can be different on server and clients. That's the benefit of the

Code:

<username>@<domainname>

transmission. It is also unrelevant, if you use secure NFSv4 or not (sys, krb5, krb5i, krb5p).

If there aren't the same user-/groupnames on server and clients, the mapping of the user-/groupname will default to nobody/nogroup (which are the default settings).

RM. · Mar 1, 2017

spring_64 said:
How should I map "max@example.org" to ...?
I know nfsuserd do this, but I can't found config file.

Is this work without matching UID's on both the server and the client?

the mapping is done on clientside, so you have to configure it there. If you have linux-clients please look at:
https://linux.die.net/man/8/rpc.idmapd (/etc/idmapd.conf)
http://man7.org/linux/man-pages/man5/nfsidmap.5.html (/etc/idmapd.conf)

If you have FreeBSD clients it seems that you can't configure it, so the usernames/groupnames must exist on clientside:
https://www.freebsd.org/cgi/man.cgi...FreeBSD+11.0-RELEASE&arch=default&format=html

gkontos · Mar 2, 2017

RM. said:
Why you should need matching uids between server and client?

In NFSv4 it's unrelevant, you only need the same username/groupname on client and server. The UIDs of the usernames/groupnames can be different on server and clients. That's the benefit of the

Code:

<username>@<domainname>

transmission. It is also unrelevant, if you use secure NFSv4 or not (sys, krb5, krb5i, krb5p).

If there aren't the same user-/groupnames on server and clients, the mapping of the user-/groupname will default to nobody/nogroup (which are the default settings).

See here ->> https://forums.freebsd.org/threads/51122/