Home / ubuntu / Questions / 729705
Accepted
Rotareti
Asked: 2016-02-05 09:37:44 +0800 CST

nfs4 permission denied: UID GID numbers shown for owner. I expected strings

  • 772

I do not get the expected file permissions from my Lan Server using NFS4.

Mounting the 'exports' dir as a client works fine. ls outputs the correct folder content. But if the client tries to cd into a dir, he gets a "Permission denied".

If the client uses ls -l to list the content of the mounted folder, he gets GID:UID numbers for the owner of each file. I was expecting NFS4 to give the client username:groupname as a string not as a number. The shown UIDs do not match the UID of the client user. I think this is why I get "permission denied".

I have a user 'Paul'(UID=1004) on the server and a user 'Paul'(UID=1000) on the client. I'd like to handle NFS4 file permissions by the names NOT by the IDs.

This is the current setup:

Mounting as client:

how I mount the exports on the Ubuntu 14.04 client:

sudo mount.nfs4 192.168.178.10:/ /fs_data -o soft,intr,rsize=8192,wsize=8192

NFS Server Setup:

all the changes that I made to the NFS4 server on Raspbian, after installing 'nfs-kernel-server', 'rpcbind', 'nfs-common'

/etc/default/rpcbind

OPTIONS=""

/etc/hosts.deny

rpcbind:ALL

/etc/hosts.allow

rpcbind: 192.168.178.20 , 192.168.178.21

/etc/default/nfs-kernel-server

NEED_SVCGSSD=NO

/etc/default/nfs-common

NEED_IDMAPD=YES
NEED_GSSD=no

/etc/exports

/exports         192.168.178.20(rw,sync,fsid=0,crossmnt,no_subtree_check,no_root_squash,insecure) 192.168.178.21(rw,sync,fsid=0,crossmnt,no_subtree_check,no_root_squash,insecure)
/exports/paul    192.168.178.20(rw,sync,no_subtree_check,no_root_squash,insecure) 192.168.178.21(rw,sync,no_subtree_check,no_root_squash,insecure)

Any clue, what I'm missing?

permissions

1 Answers

  1. Best Answer

    I think this is a trap in nfs4 a lot of people were faced, including me.In nfs4 you specify a sec= flavor and when not specified the default is AUTH_SYS which means sending local UIDs and GIDs to the server which are then compared.

    As far as I understood it, only when using a security flavor of the krb5* family the client sends the authentication as a string with <username>:<groupname>

    Here is a more detailed explanation what happens behind the scenes.

    In the manpage of nfs, there is also a section "Using non-privileged source ports" which mentions that if the server accepts non-priviledged ports any user could pretend an identity and sounds like a security issue one could use as a workaround. But I don't know if that is that easy or if it needs some hacks to make it usable. But, in the end it is still an security issue.

    Maybe the easiest way is to keep the UIDs and GIDs in sync manually or set up a simple NIS or LDAP. And when using sssd you also could cache the login credentials from NIS or LDAP but the user has to login once connected with the server reachable.

    • 2