| View previous topic :: View next topic |
| Author |
Message |
javeree
Guru
Joined: 29 Jan 2006
Posts: 455
|
 Posted: Fri Mar 06, 2020 6:07 pm Post subject: permission issue using nfsv4 [solved] |
 |
|
background:
I wanted to run a dovecot server on nfsclient, and export the mail spool as '/mnt/mail' via nfsv4.
user 'jan' has uid 1002 on nfsclient and uid 1000 on nfsserver, so my first attempt resulted in /mnt/mail/jan/* to be owned by another user who happened to have uid 1000 on the nfs server.
=> I ran idmapd on both nfsclient and nfsserver, restarted the server and remounted the share.
As user jan, I get for "ls -ld /mnt/mail/jan /mnt/mail/jan/*"
| Quote: | ls: cannot access '/mnt/mail/jan/*': Permission denied
drwx------ 300 jan root 20480 Mar 6 18:12 /mnt/mail/jan |
Stilll, I see that files /mnt/mail/jan/* are owned by user jan:
Now running as root on nfsclient: ls -ld /mnt/mail/jan /mnt/mail/jan/*
| Quote: | drwx------ 300 jan root 20480 Mar 6 18:12 /mnt/mail/jan
drwx------ 2 jan root 290816 Mar 6 18:11 /mnt/mail/jan/cur
-rw------- 1 jan users 21160 Mar 6 18:09 /mnt/mail/jan/dovecot.index
-rw------- 1 jan users 165288 Mar 6 18:11 /mnt/mail/jan/dovecot.index.cache
-rw------- 1 jan users 12544 Mar 6 18:12 /mnt/mail/jan/dovecot.index.log
-rw------- 1 jan users 32832 Mar 5 19:34 /mnt/mail/jan/dovecot.index.log.2
-rw------- 1 jan users 14677 Mar 29 2014 /mnt/mail/jan/dovecot.index.thread
-rw------- 1 jan users 71 May 30 2019 /mnt/mail/jan/dovecot-keywords
-rw------- 1 jan users 32232 Mar 4 12:31 /mnt/mail/jan/dovecot.list.index
-rw------- 1 jan users 5312 Mar 6 18:11 /mnt/mail/jan/dovecot.list.index.log
-rw------- 1 jan users 3864 Feb 28 09:59 /mnt/mail/jan/dovecot.mailbox.log
-rw------- 1 jan users 4104 Nov 12 2017 /mnt/mail/jan/dovecot.mailbox.log.2
-rw------- 1 jan users 73324 Mar 6 17:56 /mnt/mail/jan/dovecot-uidlist
-rw------- 1 jan users 8 Feb 27 21:53 /mnt/mail/jan/dovecot-uidvalidity
-rw------- 1 jan users 0 Aug 4 2010 /mnt/mail/jan/dovecot-uidvalidity.4c589e62
-r--r--r-- 1 jan users 0 Oct 24 2012 /mnt/mail/jan/dovecot-uidvalidity.50881400
drwx------ 2 jan root 73728 Mar 6 17:56 /mnt/mail/jan/new
-rw------- 1 jan users 6568 Feb 28 09:59 /mnt/mail/jan/subscriptions
drwx------ 2 jan root 69632 Mar 6 17:56 /mnt/mail/jan/tmp |
I got some extra information from dovecot running on nfsclient. I can start dovecot alright, but when I try to read my inbox, I get the following in dovecot log:
| Quote: | Mar 06 18:26:11 [dovecot] imap-login: Login: user=<jan>, method=PLAIN, rip=192.168.1.20, lip=192.168.4.58, mpid=24281, TLS, session=<L3wE8zKgwJDAqAEU>
Mar 06 18:26:11 [dovecot] imap(jan)<24281><L3wE8zKgwJDAqAEU>: Error: stat(/mnt/mail/jan/subscriptions) failed: Permission denied
Mar 06 18:26:11 [dovecot] imap(jan)<24281><L3wE8zKgwJDAqAEU>: Error: open(/mnt/mail/jan/dovecot.list.index.log) failed: Permission denied (euid=1000(jan) egid=1000(jan) missing +x perm: /mnt/mail/jan, UNIX perms appear ok (ACL/MAC wrong?))
Mar 06 18:26:11 [dovecot] imap(jan)<24281><L3wE8zKgwJDAqAEU>: Error: opendir(/mnt/mail/jan) failed: Permission denied (euid=1000(jan) egid=1000(jan) missing +r perm: /mnt/mail/jan, UNIX perms appear ok (ACL/MAC wrong?), dir owned by 0:100 mode=0750)
Mar 06 18:26:11 [dovecot] imap(jan)<24281><L3wE8zKgwJDAqAEU>: Error: Couldn't create mailbox list lock /mnt/mail/jan/mailboxes.lock: file_create_locked(/mnt/mail/jan/mailboxes.lock) failed: open(/mnt/mail/jan/mailboxes.lock) failed: Permission denied
Mar 06 18:26:11 [dovecot] imap(jan)<24281><L3wE8zKgwJDAqAEU>: Error: stat(/mnt/mail/jan/tmp) failed: Permission denied (euid=1000(jan) egid=1000(jan) missing +x perm: /mnt/mail/jan, UNIX perms appear ok (ACL/MAC wrong?))
|
The key here seems to be that somehow /mnt/mail/jan/ is owned by root:users instead of jan:root as the ls command thinks.
But here I am stuck. What could cause this 'incorrect' ownership
Last edited by javeree on Thu Mar 19, 2020 9:24 am; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
|
| Back to top |
|
|
javeree
Guru
Joined: 29 Jan 2006
Posts: 455
|
| Posted: Mon Mar 09, 2020 8:30 am Post subject: |
|
|
| Tonight I'll have a look at setting up and using kerberos. It'll be a first for me, but somethign I've been putting off for too long. My main reason so far to avoid a centralized user management is the bunch of Windows home systems that can't play together with an AD. But in this case, it is nfs, which I only use between my linux systems. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Mar 09, 2020 5:58 pm Post subject: |
|
|
| Quote: | | UNIX perms appear ok (ACL/MAC wrong?) |
This part of the error looks more significant to me. Do you have plain unix perms on both machines or are things like ACLs/SELinux active? |
|
| Back to top |
|
|
javeree
Guru
Joined: 29 Jan 2006
Posts: 455
|
| Posted: Tue Mar 10, 2020 10:26 am Post subject: |
|
|
Yes, that seems more relevant. I checked the Kerberos page, but that is about authenticating to dovecot. That authentication works fine. I used dovecot just because it gave me a more verbose message, but the problem also appears with standard utilities such as ls, where I get a 'Permission denied' trying to access the folder.
I definitely do not have SELinux active, and as far as I know don't have ACL either. Below are the mount on the server and on the client side, but maybe this is not the best way to check for acl ?
Server side: mount | grep mail
| Quote: |
/dev/sdb5 on /mnt/mail type ext4 (rw,noexec,noatime)
/dev/sdb5 on /export/mnt/mail type ext4 (rw,noexec,noatime)
|
Client side
| Quote: | | Hermes:/mnt/mail on /mnt/mail type nfs4 (rw,noexec,noatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.43,_netdev) |
However, I do see in my kernel config: zgrep ACL /proc/config.gz
| Quote: | CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
|
and lsmod | grep -i acl
| Quote: |
nfs_acl 16384 1 nfsd
sunrpc 241664 18 auth_rpcgss,nfsd,nfs_acl,lockd
|
So it is possible that I do have it active. If so, what should I check next ? |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Tue Mar 10, 2020 7:04 pm Post subject: |
|
|
Then either adjust uid and guid of users to be the same across both server and client or maybe use a centralized user repository like perhaps ldap?
OR it would be best if user@domain of nfs4 really works as it should.
Apparently you have to enable it @boot time (if not already enabled).
Maybe you should create a file in /etc/modprobe.d to activate it:
| Code: |
options nfs nfs4_disable_idmapping=0
options nfsd nfs4_disable_idmapping=0
|
and in /etc/idmapd.conf set your domain BOTH in server and client
Maybe also enable and start
nfs-idmapd
 |
|
| Back to top |
|
|
javeree
Guru
Joined: 29 Jan 2006
Posts: 455
|
| Posted: Thu Mar 19, 2020 9:24 am Post subject: |
|
|
This got kinda solved, but more because the basic configuration changed than because of finding the root cause with the existing configuration.
First of all, I thought I was using nfsv4, as I was mounting with -t nfs, and assuming it would use the highest protocol version. It turned out to fall back to v3.
Here, the key was that I had in /etc/exports:
| Quote: | /export 192.168.0.0/255.255.127.0(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0)
/export/mnt/mail 192.168.0.0/255.255.127.0(insecure,nohide,rw,subtree_check,no_root_squash)
|
It only worked when I changed the permissions for /export:
| Quote: | /export *(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0)
/export/mnt/mail 192.168.0.0/255.255.127.0(insecure,nohide,rw,subtree_check,no_root_squash)
|
The second error, which is related to the userid issue:
/etc/idmapd.conf in both client and server need the line
which is by default commented out.
uncommenting resulted in the correct user mapping. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
