https://bugzilla.novell.com/show_bug.cgi?id=743976
https://bugzilla.novell.com/show_bug.cgi?id=743976#c4
--- Comment #4 from lynn wilson
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2
Mounting an nfs4 share using gss/krb5 only mounts read only despite rw being specified. However, a conventional mount without gss/krb5 maps fine.
I used Yast to set the gss security and the nfs4 domain.
/etc/fstab /home /export/home none rw,bind 0 0
/etc/exports /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export/home gss/krb5(rw,nohide,insecure,no_subtree_check) /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async) /export/home *(rw,insecure,no_subtree_check,async)
With this: mount -t nfs4 server:/home /mnt -o sec=krb5 A Kerberos authenticated user cannot write to the share under /mnt in his exported home directory.
With this: mount -t nfs4 server:/home /mnt he can. The gid is mapped correctly.
Adding this to /etc/exports fixes the problem: /export/home gss/krb5(rw,nohide,insecure,no_subtree_check,gid=100)
Should be anongid=100)
e.g. fqdn hh3.hh3.site, nfs4 domain CACTUS, user steve5 uid=300020, gid=100
/etc/idmapd.conf [General] Verbosity=0 Pipefs-Directory=/var/lib/nfs/rpc_pipefs Domain=CACTUS [Mapping] Nobody-User=nobody Nobody-Group=nobody idmapd seems to be working fine. Mappings are perfect client/server
mount -t nfs4:/home /mnt -o sec=krb5
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime: 2012-01-28T21:16:16 endtime: 2012-01-29T07:16:16 renew till: 2012-01-29T21:16:16
user steve5 logs in: # su steve5 (passwd etc...) Kerberos: AS-REQ steve5@HH3.SITE from ipv4:192.168.1.3:50182 for krbtgt/HH3.SITE@HH3.SITE Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- steve5@HH3.SITE Kerberos: Looking for ENC-TS pa-data -- steve5@HH3.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- steve5@HH3.SITE Kerberos: AS-REQ steve5@HH3.SITE from ipv4:192.168.1.3:44732 for krbtgt/HH3.SITE@HH3.SITE Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- steve5@HH3.SITE Kerberos: Looking for ENC-TS pa-data -- steve5@HH3.SITE Kerberos: ENC-TS Pre-authentication succeeded -- steve5@HH3.SITE using arcfour-hmac-md5
steve5 goes to the share: # cd /mnt/CACTUS/steve5 Kerberos: TGS-REQ steve5@HH3.SITE from ipv4:192.168.1.3:43987 for nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-01-28T21:21:50 starttime: 2012-01-28T21:23:29 endtime: 2012-01-29T07:21:50 renew till: 2012-01-29T21:21:50
idmappings under the mount seem OK: steve5@hh3:/mnt/CACTUS/steve5> ls -la total 220 drwxr-xr-x 27 steve5 users 4096 Jan 28 21:21 . drwxr-xr-x 9 root root 4096 Jan 12 09:05 .. -rwxr-xr-x 1 steve5 users 2331 Jan 28 19:11 .bash_history -rwxr-xr-x 1 steve5 users 0 Jan 8 12:59 c drwxr-xr-x 5 steve5 users 4096 Jan 8 15:10 .cache drwxr-xr-x 11 steve5 users 4096 Jan 12 08:17 .config drwxr-xr-x 3 steve5 users 4096 Jan 8 10:31 .dbus drwxr-xr-x 2 steve5 users 4096 Jan 8 19:28 Desktop
_BUT_ steve5@hh3:/mnt/CACTUS/steve5> touch myfile.txt touch: cannot touch `myfile.txt': Permission denied
So we go back to the actual home folder: steve5@hh3:/mnt/CACTUS/steve5> cd /home/CACTUS/steve5 steve5@hh3:~> touch myfile.txt steve5@hh3:~> ls -la myfile.txt -rw-r--r-- 1 steve5 users 0 Jan 28 21:31 myfile.txt And there is rw access
The nfs4 share is only writeable without the gss/krb5.
Workaround: add the gid to the export in /etc/exports: /export/home gss/krb5(rw,nohide,insecure,no_subtree_check,gid=100)
And then user steve5 can write to the share.
Reproducible: Always
Steps to Reproduce: 1.mount -t nfs4 server:/home /mnt -O sec=krb5 2.cd to the mount as an authenticated user 3.touch myfile.txt 4. Actual Results: touch: cannot touch `myfile.txt': Permission denied
Expected Results: the file myfile.txt is created
There are two ways to workaround this either by specifying a gid in /etc/exports or not using gss/krb5. Both are rather limiting.
As this is to do with security I hope you don't mind me marking this is Major. I'm sure that I've overlooked something simple with idmapd but I can't see what is preventing the rw on the share.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.