Hi Bruce,
We are building nfs-utils 1.0.7 with libnfsidmap 0.20 to avoid a bug
with userid mappings in libnfsidmap 0.12.
Then we tripped over nfs/<FQDN> principals not being resolved. Luckily I
came across:
http://linux-nfs.org/pipermail/nfsv4/2006-June/004564.html
and realised that the code to handle nfs/<FQDN> principals is now in
nfs-utils (utils/gssd/svcgssd_proc.c).
Are there any other known issues we might trip over as a result of using
nfs-utils 1.0.7 with libnfsidmap 0.20?
Thanks,
#
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On 10/23/07, Harshula <[email protected]> wrote:
> Hi Bruce,
>
> We are building nfs-utils 1.0.7 with libnfsidmap 0.20 to avoid a bug
> with userid mappings in libnfsidmap 0.12.
>
> Then we tripped over nfs/<FQDN> principals not being resolved. Luckily I
> came across:
> http://linux-nfs.org/pipermail/nfsv4/2006-June/004564.html
>
> and realised that the code to handle nfs/<FQDN> principals is now in
> nfs-utils (utils/gssd/svcgssd_proc.c).
>
> Are there any other known issues we might trip over as a result of using
> nfs-utils 1.0.7 with libnfsidmap 0.20?
>
> Thanks,
> #
Sorry for the troubles. I'm not Bruce, but AFAIK there aren't other
issues, and it should always be safe to use the latest libraries.
K.C.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kevin,
On Tue, 2007-10-23 at 20:54 +1000, Harshula wrote:
> Hi Bruce,
>
> We are building nfs-utils 1.0.7 with libnfsidmap 0.20 to avoid a bug
> with userid mappings in libnfsidmap 0.12.
>
> Then we tripped over nfs/<FQDN> principals not being resolved. Luckily I
> came across:
> http://linux-nfs.org/pipermail/nfsv4/2006-June/004564.html
>
> and realised that the code to handle nfs/<FQDN> principals is now in
> nfs-utils (utils/gssd/svcgssd_proc.c).
re: utils/gssd/svcgssd_proc.c:
-----------------------------------------------------
/*
* -ENOENT means there was no mapping, any other error
* value means there was an error trying to do the
* mapping.
* If there was no mapping, we send down the value -1
* to indicate that the anonuid/anongid for the export
* should be used.
*/
if (res == -ENOENT) {
cred->cr_uid = -1;
cred->cr_gid = -1;
cred->cr_ngroups = 0;
res = 0;
goto out_free;
}
-----------------------------------------------------
What happens if the server has an export with the no_root_squash option?
I did a quick test with the above code snippet backported to nfs-utils
1.0.7 and found that an export with no_root_squash would still
root_squash.
By doing:
-----------------------------------------------------
/*
* -ENOENT means there was no mapping, any other error
* value means there was an error trying to do the
* mapping.
*/
if (res == -ENOENT && strncmp(sname, "nfs/", 4) == 0) {
cred->cr_uid = 0;
cred->cr_gid = 0;
cred->cr_ngroups = 0;
res = 0;
goto out_free;
}
-----------------------------------------------------
The root_squash/no_root_squash behaviour was as expected. Is there any
problem with mapping to root UID iff the name has the "nfs/" prefix?
cya,
#
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On Nov 14, 2007 2:11 AM, Harshula <[email protected]> wrote:
> Hi Kevin,
>
> On Tue, 2007-10-23 at 20:54 +1000, Harshula wrote:
> > Hi Bruce,
> >
> > We are building nfs-utils 1.0.7 with libnfsidmap 0.20 to avoid a bug
> > with userid mappings in libnfsidmap 0.12.
> >
> > Then we tripped over nfs/<FQDN> principals not being resolved. Luckily I
> > came across:
> > http://linux-nfs.org/pipermail/nfsv4/2006-June/004564.html
> >
> > and realised that the code to handle nfs/<FQDN> principals is now in
> > nfs-utils (utils/gssd/svcgssd_proc.c).
>
> re: utils/gssd/svcgssd_proc.c:
> -----------------------------------------------------
> /*
> * -ENOENT means there was no mapping, any other error
> * value means there was an error trying to do the
> * mapping.
> * If there was no mapping, we send down the value -1
> * to indicate that the anonuid/anongid for the export
> * should be used.
> */
> if (res == -ENOENT) {
> cred->cr_uid = -1;
> cred->cr_gid = -1;
> cred->cr_ngroups = 0;
> res = 0;
> goto out_free;
> }
> -----------------------------------------------------
>
> What happens if the server has an export with the no_root_squash option?
>
> I did a quick test with the above code snippet backported to nfs-utils
> 1.0.7 and found that an export with no_root_squash would still
> root_squash.
>
> By doing:
> -----------------------------------------------------
> /*
> * -ENOENT means there was no mapping, any other error
> * value means there was an error trying to do the
> * mapping.
> */
> if (res == -ENOENT && strncmp(sname, "nfs/", 4) == 0) {
> cred->cr_uid = 0;
> cred->cr_gid = 0;
> cred->cr_ngroups = 0;
> res = 0;
> goto out_free;
> }
> -----------------------------------------------------
>
> The root_squash/no_root_squash behaviour was as expected. Is there any
> problem with mapping to root UID iff the name has the "nfs/" prefix?
>
> cya,
> #
1) this doesn't account for other cases where there is no mapping.
This would seem more appropriate for what you are trying to do.
if (res == -ENOENT) {
if (strncmp(sname, "nfs/", 4) == 0) {
cred->cr_uid = 0;
cred->cr_gid = 0;
} else {
cred->cr_uid = -1;
cred->cr_gid = -1;
}
cred->cr_ngroups = 0;
res = 0;
goto out_free;
}
2) a later version of nfs-utils allows root to use any credentials
(does not use machine credentials for all accesses by root), which
will defeat this check.
Otherwise, I think it is equivalent to the older version of nfs-utils
+ libnfsidmap.
K.C.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kevin,
On Wed, 2007-11-14 at 09:59 -0500, Kevin Coffman wrote:
> 1) this doesn't account for other cases where there is no mapping.
In practise, what are the "other cases" where a failed
nfs4_gss_princ_to_ids() lookup needs to be mapped to 'nobody'?
> 2) a later version of nfs-utils allows root to use any credentials
> (does not use machine credentials for all accesses by root), which
> will defeat this check.
Thanks for the heads-up.
cya,
#
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On Nov 15, 2007 5:29 AM, Harshula <[email protected]> wrote:
> Hi Kevin,
>
> On Wed, 2007-11-14 at 09:59 -0500, Kevin Coffman wrote:
>
> > 1) this doesn't account for other cases where there is no mapping.
>
> In practise, what are the "other cases" where a failed
> nfs4_gss_princ_to_ids() lookup needs to be mapped to 'nobody'?
You have cross-realm Kerberos trusts set up. A user from a different
Kerberos realm comes to your server and you have no local mapping for
that user.
A new local user is created, but has not yet been placed in the mappings.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs