freebsd stable - Feb 2010 - RELENG_8 -- NFSv3 credentials/permissions issue

I'm willing to bet this is something simple I've overlooked, but I'm
out
of ideas.  Client is 8.0-RELEASE i386, server is 8.0-STABLE amd64
(kernel/world 2010/01/16).  NFS version used is v3.  Server filesystem
is UFS2.

Client configuration is off-kilter: it's a PXE booted machine.  Initial
PXE booting uses TFTP, then switches to NFS to load the kernel and
kernel modules.  The TFTP part works, with a caveat[1], but the NFS
portion fails.

With NFS, I'm forced to change permissions on all the exported
files/directories to be 0644/0755 (specifically, setting other/global
read/write access) otherwise the client gets back "Permission denied".
The nfsd(8) man page implies that this shouldn't be necessary; adding
-mapall=nobody:nobody or -maproot=nobody doesn't fix things either.

  In the absence of -maproot and -mapall options, remote accesses by root
  will result in using a credential of -2:-2.  All other users will be
  mapped to their remote credential.  If a -maproot option is given, remote
  access by root will be mapped to that credential instead of -2:-2.  If a
  -mapall option is given, all users (including root) will be mapped to
  that credential in place of their own.  

Configuration data, tcpdump validation (client=192.168.1.140,
server=192.168.1.51), and syslog data is below.

Ideas?

[1]: TFTP works as long as the file its trying to request (in this case
/usr/local/freebsd8/boot/pxeboot) has its other/global read bit set,
otherwise EACCESS is returned; I had to look in the tftpd source to
figure this out.  I'm not sure what the justification is there, given
that use of -s and/or -u switches credentials to user/group nobody...

-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |


Relevant server configuration bits:

/etc/rc.conf
=============rpcbind_enable="yes"
rpcbind_flags="-l"
mountd_enable="yes"
mountd_flags="-r -l"
nfs_server_enable="yes"

/etc/exports
=============/usr/local/freebsd8	-network 192.168.1 -mask 255.255.255.0

Permissions
============drwxr-xr-x  22 root    wheel        512 Feb  6 12:25 /
drwxr-xr-x  17 root    wheel        512 Feb 12 03:38 /usr
drwxr-xr-x  15 root    wheel        512 Feb 19 10:41 /usr/local
drwx------   5 nobody  nobody       512 Feb 19 10:42 /usr/local/freebsd8
drwx------   7 nobody  nobody      1024 Nov 21 08:11 /usr/local/freebsd8/boot
drwx------   2 nobody  nobody     12800 Nov 21 08:11
/usr/local/freebsd8/boot/kernel
-r--------   1 nobody  nobody  11492703 Nov 21 07:48
/usr/local/freebsd8/boot/kernel/kernel

tcpdump
========{...snipping TFTP portion...}
10:57:20.601313 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP, Request
from 00:30:48:71:60:6b, length 548
10:57:20.601442 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP, Reply,
length 323
10:57:20.601688 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP, Request
from 00:30:48:71:60:6b, length 548
10:57:20.601782 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP, Reply,
length 323
10:57:20.613056 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76
10:57:20.613369 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28
10:57:20.613556 IP 192.168.1.140.1023 > 192.168.1.51.947: UDP, length 84
10:57:20.613921 IP 192.168.1.51.947 > 192.168.1.140.1023: UDP, length 60
10:57:20.614055 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76
10:57:20.614291 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28
10:57:20.614432 IP 192.168.1.140.4 > 192.168.1.51.2049: 100 lookup fh
1197,150310/6618112 "boot"
10:57:20.614458 IP 192.168.1.51.2049 > 192.168.1.140.4: reply ok 28 lookup
ERROR: Permission denied
10:57:20.615436 IP 192.168.1.140.1022 > 192.168.1.51.947: UDP, length 84
10:57:20.615677 IP 192.168.1.51.947 > 192.168.1.140.1022: UDP, length 60
10:57:20.615806 IP 192.168.1.140.6 > 192.168.1.51.2049: 100 lookup fh
1197,150310/6618112 "boot"
10:57:20.615824 IP 192.168.1.51.2049 > 192.168.1.140.6: reply ok 28 lookup
ERROR: Permission denied
10:57:20.615929 IP 192.168.1.140.1021 > 192.168.1.51.947: UDP, length 84
10:57:20.616164 IP 192.168.1.51.947 > 192.168.1.140.1021: UDP, length 60
10:57:20.616308 IP 192.168.1.140.8 > 192.168.1.51.2049: 100 lookup fh
1197,150310/6618112 "boot"
10:57:20.616327 IP 192.168.1.51.2049 > 192.168.1.140.8: reply ok 28 lookup
ERROR: Permission denied
10:57:20.616428 IP 192.168.1.140.1020 > 192.168.1.51.947: UDP, length 84
10:57:20.616660 IP 192.168.1.51.947 > 192.168.1.140.1020: UDP, length 60
{...repeat until client gives up...}

Feb 19 10:57:20 icarus dhcpd: DHCPDISCOVER from 00:30:48:71:60:6b via em0
Feb 19 10:57:20 icarus dhcpd: DHCPOFFER on 192.168.1.140 to 00:30:48:71:60:6b
via em0
Feb 19 10:57:20 icarus dhcpd: DHCPREQUEST for 192.168.1.140 (192.168.1.51) from
00:30:48:71:60:6b via em0
Feb 19 10:57:20 icarus dhcpd: DHCPACK on 192.168.1.140 to 00:30:48:71:60:6b via
em0
Feb 19 10:57:20 icarus rpcbind: connect from 192.168.1.140 to
getport/addr(mountd)
Feb 19 10:57:20 icarus mountd[1474]: mount request succeeded from 192.168.1.140
for /usr/local/freebsd8
Feb 19 10:57:20 icarus rpcbind: connect from 192.168.1.140 to getport/addr(nfs)
Feb 19 10:57:20 icarus mountd[1474]: mount request succeeded from 192.168.1.140
for /usr/local/freebsd8
Feb 19 10:57:21 icarus last message repeated 34 times

> I'm willing to bet this is something simple I've overlooked, but
I'm out
> of ideas.  Client is 8.0-RELEASE i386, server is 8.0-STABLE amd64
> (kernel/world 2010/01/16).  NFS version used is v3.  Server filesystem
> is UFS2.
at boot time, the NFS is V2!, if the server is FreeBSD it can be upgraded
later in the boot progress to V3
> 
> Client configuration is off-kilter: it's a PXE booted machine.  Initial
> PXE booting uses TFTP, then switches to NFS to load the kernel and
> kernel modules.  The TFTP part works, with a caveat[1], but the NFS
> portion fails.
TFTP is as old as the Internet, so it mostly works, and security was in dipers,
so the T for trivial also means un-secure :-)
> 
> With NFS, I'm forced to change permissions on all the exported
> files/directories to be 0644/0755 (specifically, setting other/global
> read/write access) otherwise the client gets back "Permission
denied".
> The nfsd(8) man page implies that this shouldn't be necessary; adding
> -mapall=nobody:nobody or -maproot=nobody doesn't fix things either.
> 
why not use -maproot=root?
by adding -ro, the client will be able to read but not modify.
That's what we do here, the /etc is mounted via unionfs to a md, but
that is yet another solution.
>   In the absence of -maproot and -mapall options, remote accesses by root
>   will result in using a credential of -2:-2.  All other users will be
>   mapped to their remote credential.  If a -maproot option is given, remote
>   access by root will be mapped to that credential instead of -2:-2.  If a
>   -mapall option is given, all users (including root) will be mapped to
>   that credential in place of their own.  
> 
> Configuration data, tcpdump validation (client=192.168.1.140,
> server=192.168.1.51), and syslog data is below.
> 
> Ideas?
> 
> [1]: TFTP works as long as the file its trying to request (in this case
> /usr/local/freebsd8/boot/pxeboot) has its other/global read bit set,
> otherwise EACCESS is returned; I had to look in the tftpd source to
> figure this out.  I'm not sure what the justification is there, given
> that use of -s and/or -u switches credentials to user/group nobody...
> 
only root can read a file with mode 0, so you need to set the read bit for
any non root user.
> -- 
> | Jeremy Chadwick                                   jdc@parodius.com |
> | Parodius Networking                       http://www.parodius.com/ |
> | UNIX Systems Administrator                  Mountain View, CA, USA |
> | Making life hard for others since 1977.              PGP: 4BD6C0CB |
> 
> 
> Relevant server configuration bits:
> 
> /etc/rc.conf
> =============> rpcbind_enable="yes"
> rpcbind_flags="-l"
> mountd_enable="yes"
> mountd_flags="-r -l"
> nfs_server_enable="yes"
> 
> /etc/exports
> =============> /usr/local/freebsd8	-network 192.168.1 -mask
255.255.255.0
> 
> Permissions
> ============> drwxr-xr-x  22 root    wheel        512 Feb  6 12:25 /
> drwxr-xr-x  17 root    wheel        512 Feb 12 03:38 /usr
> drwxr-xr-x  15 root    wheel        512 Feb 19 10:41 /usr/local
> drwx------   5 nobody  nobody       512 Feb 19 10:42 /usr/local/freebsd8
> drwx------   7 nobody  nobody      1024 Nov 21 08:11
/usr/local/freebsd8/boot
> drwx------   2 nobody  nobody     12800 Nov 21 08:11
/usr/local/freebsd8/boot/kernel
> -r--------   1 nobody  nobody  11492703 Nov 21 07:48
/usr/local/freebsd8/boot/kernel/kernel
> 
> tcpdump
> ========> {...snipping TFTP portion...}
> 10:57:20.601313 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP,
Request from 00:30:48:71:60:6b, length 548
> 10:57:20.601442 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP,
Reply, length 323
> 10:57:20.601688 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP,
Request from 00:30:48:71:60:6b, length 548
> 10:57:20.601782 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP,
Reply, length 323
> 10:57:20.613056 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76
> 10:57:20.613369 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28
> 10:57:20.613556 IP 192.168.1.140.1023 > 192.168.1.51.947: UDP, length 84
> 10:57:20.613921 IP 192.168.1.51.947 > 192.168.1.140.1023: UDP, length 60
> 10:57:20.614055 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76
> 10:57:20.614291 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28
> 10:57:20.614432 IP 192.168.1.140.4 > 192.168.1.51.2049: 100 lookup fh
1197,150310/6618112 "boot"
> 10:57:20.614458 IP 192.168.1.51.2049 > 192.168.1.140.4: reply ok 28
lookup ERROR: Permission denied
> 10:57:20.615436 IP 192.168.1.140.1022 > 192.168.1.51.947: UDP, length 84
> 10:57:20.615677 IP 192.168.1.51.947 > 192.168.1.140.1022: UDP, length 60
> 10:57:20.615806 IP 192.168.1.140.6 > 192.168.1.51.2049: 100 lookup fh
1197,150310/6618112 "boot"
> 10:57:20.615824 IP 192.168.1.51.2049 > 192.168.1.140.6: reply ok 28
lookup ERROR: Permission denied
> 10:57:20.615929 IP 192.168.1.140.1021 > 192.168.1.51.947: UDP, length 84
> 10:57:20.616164 IP 192.168.1.51.947 > 192.168.1.140.1021: UDP, length 60
> 10:57:20.616308 IP 192.168.1.140.8 > 192.168.1.51.2049: 100 lookup fh
1197,150310/6618112 "boot"
> 10:57:20.616327 IP 192.168.1.51.2049 > 192.168.1.140.8: reply ok 28
lookup ERROR: Permission denied
> 10:57:20.616428 IP 192.168.1.140.1020 > 192.168.1.51.947: UDP, length 84
> 10:57:20.616660 IP 192.168.1.51.947 > 192.168.1.140.1020: UDP, length 60
> {...repeat until client gives up...}
> 
> Feb 19 10:57:20 icarus dhcpd: DHCPDISCOVER from 00:30:48:71:60:6b via em0
> Feb 19 10:57:20 icarus dhcpd: DHCPOFFER on 192.168.1.140 to
00:30:48:71:60:6b via em0
> Feb 19 10:57:20 icarus dhcpd: DHCPREQUEST for 192.168.1.140 (192.168.1.51)
from 00:30:48:71:60:6b via em0
> Feb 19 10:57:20 icarus dhcpd: DHCPACK on 192.168.1.140 to 00:30:48:71:60:6b
via em0
> Feb 19 10:57:20 icarus rpcbind: connect from 192.168.1.140 to
getport/addr(mountd)
> Feb 19 10:57:20 icarus mountd[1474]: mount request succeeded from
192.168.1.140 for /usr/local/freebsd8
> Feb 19 10:57:20 icarus rpcbind: connect from 192.168.1.140 to
getport/addr(nfs)
> Feb 19 10:57:20 icarus mountd[1474]: mount request succeeded from
192.168.1.140 for /usr/local/freebsd8
> Feb 19 10:57:21 icarus last message repeated 34 times
> 
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
>