Mailinglist Archive: opensuse-bugs (4216 mails)

< Previous Next >
[Bug 743976] nfs4 idmapd does not map gid correctly under gss/krb5

https://bugzilla.novell.com/show_bug.cgi?id=743976

https://bugzilla.novell.com/show_bug.cgi?id=743976#c4


--- Comment #4 from lynn wilson <lynn@xxxxxxxxxxxx> 2012-01-30 14:20:53 UTC ---
(In reply to comment #0)
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like
Gecko) Chrome/15.0.874.121 Safari/535.2

Mounting an nfs4 share using gss/krb5 only mounts read only despite rw being
specified.
However, a conventional mount without gss/krb5 maps fine.

I used Yast to set the gss security and the nfs4 domain.

/etc/fstab
/home /export/home none rw,bind 0 0

/etc/exports
/export gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/export/home gss/krb5(rw,nohide,insecure,no_subtree_check)
/export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async)
/export/home *(rw,insecure,no_subtree_check,async)

With this:
mount -t nfs4 server:/home /mnt -o sec=krb5
A Kerberos authenticated user cannot write to the share under /mnt in his
exported home directory.

With this:
mount -t nfs4 server:/home /mnt
he can. The gid is mapped correctly.

Adding this to /etc/exports fixes the problem:
/export/home gss/krb5(rw,nohide,insecure,no_subtree_check,gid=100)


Should be anongid=100)

e.g. fqdn hh3.hh3.site, nfs4 domain CACTUS, user steve5 uid=300020, gid=100

/etc/idmapd.conf
[General]
Verbosity=0
Pipefs-Directory=/var/lib/nfs/rpc_pipefs
Domain=CACTUS
[Mapping]
Nobody-User=nobody
Nobody-Group=nobody
idmapd seems to be working fine. Mappings are perfect client/server

mount -t nfs4:/home /mnt -o sec=krb5

Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for
nfs/hh3.hh3.site@xxxxxxxx [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime: 2012-01-28T21:16:16
endtime: 2012-01-29T07:16:16 renew till: 2012-01-29T21:16:16

user steve5 logs in:
# su steve5
(passwd etc...)
Kerberos: AS-REQ steve5@xxxxxxxx from ipv4:192.168.1.3:50182 for
krbtgt/HH3.SITE@xxxxxxxx
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- steve5@xxxxxxxx
Kerberos: Looking for ENC-TS pa-data -- steve5@xxxxxxxx
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- steve5@xxxxxxxx
Kerberos: AS-REQ steve5@xxxxxxxx from ipv4:192.168.1.3:44732 for
krbtgt/HH3.SITE@xxxxxxxx
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- steve5@xxxxxxxx
Kerberos: Looking for ENC-TS pa-data -- steve5@xxxxxxxx
Kerberos: ENC-TS Pre-authentication succeeded -- steve5@xxxxxxxx using
arcfour-hmac-md5

steve5 goes to the share:
# cd /mnt/CACTUS/steve5
Kerberos: TGS-REQ steve5@xxxxxxxx from ipv4:192.168.1.3:43987 for
nfs/hh3.hh3.site@xxxxxxxx [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-28T21:21:50 starttime: 2012-01-28T21:23:29
endtime: 2012-01-29T07:21:50 renew till: 2012-01-29T21:21:50

idmappings under the mount seem OK:
steve5@hh3:/mnt/CACTUS/steve5> ls -la
total 220
drwxr-xr-x 27 steve5 users 4096 Jan 28 21:21 .
drwxr-xr-x 9 root root 4096 Jan 12 09:05 ..
-rwxr-xr-x 1 steve5 users 2331 Jan 28 19:11 .bash_history
-rwxr-xr-x 1 steve5 users 0 Jan 8 12:59 c
drwxr-xr-x 5 steve5 users 4096 Jan 8 15:10 .cache
drwxr-xr-x 11 steve5 users 4096 Jan 12 08:17 .config
drwxr-xr-x 3 steve5 users 4096 Jan 8 10:31 .dbus
drwxr-xr-x 2 steve5 users 4096 Jan 8 19:28 Desktop

_BUT_
steve5@hh3:/mnt/CACTUS/steve5> touch myfile.txt
touch: cannot touch `myfile.txt': Permission denied

So we go back to the actual home folder:
steve5@hh3:/mnt/CACTUS/steve5> cd /home/CACTUS/steve5
steve5@hh3:~> touch myfile.txt
steve5@hh3:~> ls -la myfile.txt
-rw-r--r-- 1 steve5 users 0 Jan 28 21:31 myfile.txt
And there is rw access

The nfs4 share is only writeable without the gss/krb5.

Workaround:
add the gid to the export in /etc/exports:
/export/home gss/krb5(rw,nohide,insecure,no_subtree_check,gid=100)

And then user steve5 can write to the share.


Reproducible: Always

Steps to Reproduce:
1.mount -t nfs4 server:/home /mnt -O sec=krb5
2.cd to the mount as an authenticated user
3.touch myfile.txt
4.
Actual Results:
touch: cannot touch `myfile.txt': Permission denied


Expected Results:
the file myfile.txt is created

There are two ways to workaround this either by specifying a gid in
/etc/exports or not using gss/krb5. Both are rather limiting.

As this is to do with security I hope you don't mind me marking this is Major.
I'm sure that I've overlooked something simple with idmapd but I can't see
what
is preventing the rw on the share.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References