[Fwd: Re: Permission problem with NFSv4 mount]

J. Bruce Fields bfields at fieldses.org
Mon Mar 2 19:38:13 EST 2009 

On Thu, Feb 26, 2009 at 10:21:05AM +0000, Mike Brodbelt wrote:
> J. Bruce Fields wrote:
> 
> > One way to check that would be to create a world-writeable directory on
> > the export, then create a file in it from the client as user "postgres"
> > on the client, then go back to the server and ls -l it to see what user
> > it was created as.
> 
> OK, so I changed permissions on the export and the mount point to
> rwxrwxrwx, and remounted the NFS filesystem:-
> 
> # umount /db/data/
> umount: /db/data/: not mounted
> # chmod 777 /db/data/
> # mount /db/data/
> # ls -ld /db/data/
> drwxrwxrwx 10 postgres postgres 25 2009-02-24 17:56 /db/data/
> 
> Even with world writable permissions though, I still get the error:-
> 
> # su - postgres
> $ touch /db/data/testfile
> touch: cannot touch `/db/data/testfile': Permission denied

And from the below it looks like the client is indeed using auth_unix
with the correct uid and gid.  So, I'm stumped.  Sorry.  It looks like a
server-side problem to me.

--b.

> 
> > Might also be interesting to watch the network with wireshark while you
> > do the new-file creation; of particular interest would be the rpc header
> > (especially the cred field) on the request that creates the file.
> 
> I've done a packet capture of the operations, and the tshark output is:-
> 
>  1   0.000000  10.0.0.39 -> 10.0.0.43  NFS V4 COMPOUND Call <EMPTY>
> PUTFH;ACCESS;GETATTR
>  2   0.000689  10.0.0.43 -> 10.0.0.39  NFS V4 COMPOUND Reply (Call In
> 1) <EMPTY> PUTFH;ACCESS;GETATTR
>  3   0.000699  10.0.0.39 -> 10.0.0.43  TCP 858 > nfs [ACK] Seq=157
> Ack=241 Win=126 Len=0 TSV=96150336 TSER=176053765
>  4   0.000789  10.0.0.39 -> 10.0.0.43  NFS V4 COMPOUND Call <EMPTY>
> SETCLIENTID
>  5   0.001188  10.0.0.43 -> 10.0.0.39  NFS V4 COMPOUND Reply (Call In
> 4) <EMPTY> SETCLIENTID
>  6   0.001221  10.0.0.39 -> 10.0.0.43  NFS V4 COMPOUND Call <EMPTY>
> SETCLIENTID_CONFIRM;PUTROOTFH;GETATTR
>  7   0.028545  10.0.0.43 -> 10.0.0.39  NFS V4 COMPOUND Reply (Call In
> 6) <EMPTY> SETCLIENTID_CONFIRM;PUTROOTFH;GETATTR
>  8   0.028589  10.0.0.39 -> 10.0.0.43  NFS V4 COMPOUND Call <EMPTY>
> PUTFH;SAVEFH;OPEN;DELEGRETURN;Unknown
>  9   0.028695  10.0.0.43 -> 10.0.0.39  TCP 62582 > 57740 [SYN] Seq=0
> Win=32804 Len=0 MSS=1460 TSV=176053768 TSER=0 WS=5
> 10   0.028702  10.0.0.39 -> 10.0.0.43  TCP 57740 > 62582 [SYN, ACK]
> Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=96150343 TSER=176053768 WS=9
> 11   0.028794  10.0.0.43 -> 10.0.0.39  NFS V4 COMPOUND Reply (Call In 8)
> <EMPTY> PUTFH;SAVEFH;OPEN
> 12   0.028803  10.0.0.43 -> 10.0.0.39  TCP 62582 > 57740 [ACK] Seq=1
> Ack=1 Win=1049792 Len=0 TSV=176053768 TSER=96150343
> 13   0.028865  10.0.0.39 -> 10.0.0.43  NFS V4 COMPOUND Call <EMPTY>
> PUTFH;ACCESS;GETATTR
> 14   0.028994  10.0.0.43 -> 10.0.0.39  NFS V4 COMPOUND Reply (Call In
> 13) <EMPTY> PUTFH;ACCESS;GETATTR[Malformed Packet]
> 15   0.032439  10.0.0.43 -> 10.0.0.39  TCP 62582 > 57740 [PSH, ACK]
> Seq=1 Ack=1 Win=1049792 Len=72 TSV=176053769 TSER=96150343
> 16   0.032448  10.0.0.39 -> 10.0.0.43  TCP 57740 > 62582 [ACK] Seq=1
> Ack=73 Win=6144 Len=0 TSV=96150344 TSER=176053769
> 17   0.032463  10.0.0.39 -> 10.0.0.43  TCP 57740 > 62582 [PSH, ACK]
> Seq=1 Ack=73 Win=6144 [TCP CHECKSUM INCORRECT] Len=28 TSV=96150344
> TSER=176053769
> 18   0.032538  10.0.0.43 -> 10.0.0.39  TCP 62582 > 57740 [ACK] Seq=73
> Ack=29 Win=1049792 Len=0 TSV=176053769 TSER=96150344
> 19   0.065949  10.0.0.39 -> 10.0.0.43  TCP 858 > nfs [ACK] Seq=861
> Ack=685 Win=126 Len=0 TSV=96150353 TSER=176053768
> 
> The packet for the file creation attempt is packet 11, and the details
> of the RPC are:-
> 
> Credentials
> 
> Flavour: AUTH_UNIX
> Machine name: <client hostname>
> UID: 106
> GID: 500
> Auxiliary GIDs - GID: 500
> 
> Those UID and GID combinations correspond to the postgres user on the
> client:-
> 
> $ id
> uid=106(postgres) gid=500(postgres) groups=500(postgres)
> 
> The response in frame 11 has status of NFS4ERR_ACCES.
> 
> I'm still mystified as to what's going on. I can't provide many more
> details on the server - it's a Sun Storage 7410 system, which is a
> storage appliance that runs Solaris under the hood. The system provides
> a web interface or a CLI for configuration, but there is no way for me
> to get a shell on it, so I can't create files on it locally.
> 
> Mike
> 
> 
> -- 
> Director of Technical Operations and Infrastructure
> Last.fm Ltd. | http://www.last.fm/ | Email: mike at last.fm
> Office: +44 (0) 207 780 7089 | Mobile: 07852 443790
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

More information about the NFSv4 mailing list