A little encouragement with Kerberos for NFS

Andrew B. Young andrew at an3e.org
Mon Jul 17 15:14:53 EDT 2006 

Dear Kevin,

I was wondering about that: "net result is to default to uid/gid of 
-1."  I believe this is the same as--
 nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
because of the binary math.

I think the Sun documentation states that the default mapping is to the 
principle: "nfs" which in the Fedora distribution does not exist in 
/etc/passwd.  So, forgive me, the -1 mapping is a hack that you had to 
implement.  Yes?  Knowing that the user nfs does not exist I was looking 
gsscred to do the mapping to nfsnobody.

Just my observations.

Cheers,
Andrew


Kevin Coffman wrote:
> Backing out the nfs-utils rpm may not help if you keep the same
> version of libnfsidmap.  (The library no longer defaults if the
> mapping fails, leaving it up to the application to DtRT.)  There is a
> patch for svcgssd (in nfs-utils-1.0.9) to do the default, but
> unfortunately it didn't get into 1.0.8 which is what the latest FC5
> nfs-utils rpm includes.
>
> There were a few iterations of the patch, so pointing you at a single
> patch is difficult.  Here are the three patches in order (which,
> again, are in nfs-utils-1.0.9):
>
> http://linux-nfs.org/cgi-bin/gitweb.cgi?p=nfs-utils;a=commitdiff;h=acae444246635ec2ca8990d53e685c9062d73091 
>
> http://linux-nfs.org/cgi-bin/gitweb.cgi?p=nfs-utils;a=commitdiff;h=28a7603b719f8d35bf22fd3018b610b489fec78f 
>
> http://linux-nfs.org/cgi-bin/gitweb.cgi?p=nfs-utils;a=commitdiff;h=7194d7d6320736c14f40d31c3738d40f3119ead5 
>
>
> The net result is to default to uid/gid of -1 which the kernel will
> interpret to mean, use the correct anonuid/anongid for the export.
>
> K.C.
>
>
> On 7/17/06, Terry Figel <terry at soe.ucsc.edu> wrote:
>> Is there any new news on this?
>> I am using Fedora Core 5 and ran yum update....
>> So I have the same rpms, and the same error message
>> Jul 17 10:18:50 ldap rpc.svcgssd[2723]: WARNING: get_ids: unable to map
>> name 'nfs/monitor5.cse.ucsc.edu at SOE.UCSC.EDU' to a uid
>> I was thinking I was going to Back out the Rpm updates, and install this
>> set:
>> nfs-utils-1.0.7-8
>> system-config-nfs-1.3.10-1
>>
>>
>> Andrew B. Young wrote:
>> > Dear Kevin,
>> >
>> > I am using the rpms--
>> >  [root at ns3 ~]# rpm --query --all | grep nfs
>> >  nfs-utils-1.0.8-2.fc5
>> >  nfs-utils-lib-1.0.8-4.FC5
>> >  system-config-nfs-1.3.19-1
>> >
>> > Following receipt of your last email I tried Sun's documentation on
>> > gsscred--
>> >  http://docs.sun.com/app/docs/doc/816-4557/6maosrjle?a=view
>> > but gsscred is not installed (don't know if it's in any of the FC5 
>> rpms.)
>> >
>> > I also tried added the following in the KDC conf
>> > |-- /etc/krb5.conf------------
>> > |  [auth_to_local_names]
>> > |  nfs/ns2.an3e.org = nfsnobody
>> >
>> > Neither helped; still getting--
>> >  Jul 10 13:39:44 ns3 rpc.svcgssd[2781]: WARNING: get_ids: unable to
>> > map name 'nfs/ns2.an3e.org at AN3E.ORG' to a uid
>> >
>> > The Sun documentation states that that server will try to map the
>> > principle to a uid, but I note there is no user "nfs" in the
>> > distribution.  I have not tried to create one, which would be similar
>> > to nfsnobody.  I may try this next.
>> >
>> > Thanks,
>> > Andrew
>> >
>> > Kevin Coffman wrote:
>> >> Hi Andrew,
>> >> Thanks for the output.  It is helpful.
>> >>
>> >>>   [root at ns3 ~]# exportfs -a
>> >>>   gss/krb5:/var/lib/music: Cannot allocate memory
>> >>
>> >> I don't what this means, but ...
>> >>
>> >>
>> >>>
>> >>> [root at ns3 log]# tail messages
>> >>> ...
>> >>> Jul 10 09:41:04 ns3 rpc.svcgssd[10950]: WARNING: get_ids: unable 
>> to map
>> >>> name 'nfs/ns2.an3e.org at AN3E.ORG' to a uid
>> >>> ...
>> >>
>> >> This means that the server was unable to map the gss principal name
>> >> 'nfs/ns2.an3e.org at AN3E.ORG' into a local uid/gid.  If you are are
>> >> working with source code versions of nfs-utils, etc.,  I can give you
>> >> a patch to get by this error.  Otherwise, if you are working with FC5
>> >> rpms we can figure out how to proceed.
>> >>
>> >> K.C.
>> >
>> > _______________________________________________
>> > NFSv4 mailing list
>> > NFSv4 at linux-nfs.org
>> > http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>>
>>
>>

More information about the NFSv4 mailing list