> I'm willing to bet this is something simple I've overlooked, but I'm out > of ideas. Client is 8.0-RELEASE i386, server is 8.0-STABLE amd64 > (kernel/world 2010/01/16). NFS version used is v3. Server filesystem > is UFS2. at boot time, the NFS is V2!, if the server is FreeBSD it can be upgraded later in the boot progress to V3 > > Client configuration is off-kilter: it's a PXE booted machine. Initial > PXE booting uses TFTP, then switches to NFS to load the kernel and > kernel modules. The TFTP part works, with a caveat[1], but the NFS > portion fails. TFTP is as old as the Internet, so it mostly works, and security was in dipers, so the T for trivial also means un-secure :-) > > With NFS, I'm forced to change permissions on all the exported > files/directories to be 0644/0755 (specifically, setting other/global > read/write access) otherwise the client gets back "Permission denied". > The nfsd(8) man page implies that this shouldn't be necessary; adding > -mapall=nobody:nobody or -maproot=nobody doesn't fix things either. > why not use -maproot=root? by adding -ro, the client will be able to read but not modify. That's what we do here, the /etc is mounted via unionfs to a md, but that is yet another solution.
> In the absence of -maproot and -mapall options, remote accesses by root > will result in using a credential of -2:-2. All other users will be > mapped to their remote credential. If a -maproot option is given, remote > access by root will be mapped to that credential instead of -2:-2. If a > -mapall option is given, all users (including root) will be mapped to > that credential in place of their own. > > Configuration data, tcpdump validation (client=192.168.1.140, > server=192.168.1.51), and syslog data is below. > > Ideas? > > [1]: TFTP works as long as the file its trying to request (in this case > /usr/local/freebsd8/boot/pxeboot) has its other/global read bit set, > otherwise EACCESS is returned; I had to look in the tftpd source to > figure this out. I'm not sure what the justification is there, given > that use of -s and/or -u switches credentials to user/group nobody... > only root can read a file with mode 0, so you need to set the read bit for any non root user. > -- > | Jeremy Chadwick j...@parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > > Relevant server configuration bits: > > /etc/rc.conf > ============== > rpcbind_enable="yes" > rpcbind_flags="-l" > mountd_enable="yes" > mountd_flags="-r -l" > nfs_server_enable="yes" > > /etc/exports > ============== > /usr/local/freebsd8 -network 192.168.1 -mask 255.255.255.0 > > Permissions > ============= > drwxr-xr-x 22 root wheel 512 Feb 6 12:25 / > drwxr-xr-x 17 root wheel 512 Feb 12 03:38 /usr > drwxr-xr-x 15 root wheel 512 Feb 19 10:41 /usr/local > drwx------ 5 nobody nobody 512 Feb 19 10:42 /usr/local/freebsd8 > drwx------ 7 nobody nobody 1024 Nov 21 08:11 /usr/local/freebsd8/boot > drwx------ 2 nobody nobody 12800 Nov 21 08:11 > /usr/local/freebsd8/boot/kernel > -r-------- 1 nobody nobody 11492703 Nov 21 07:48 > /usr/local/freebsd8/boot/kernel/kernel > > tcpdump > ========= > {...snipping TFTP portion...} > 10:57:20.601313 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP, Request > from 00:30:48:71:60:6b, length 548 > 10:57:20.601442 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP, Reply, > length 323 > 10:57:20.601688 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP, Request > from 00:30:48:71:60:6b, length 548 > 10:57:20.601782 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP, Reply, > length 323 > 10:57:20.613056 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76 > 10:57:20.613369 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28 > 10:57:20.613556 IP 192.168.1.140.1023 > 192.168.1.51.947: UDP, length 84 > 10:57:20.613921 IP 192.168.1.51.947 > 192.168.1.140.1023: UDP, length 60 > 10:57:20.614055 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76 > 10:57:20.614291 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28 > 10:57:20.614432 IP 192.168.1.140.4 > 192.168.1.51.2049: 100 lookup fh > 1197,150310/6618112 "boot" > 10:57:20.614458 IP 192.168.1.51.2049 > 192.168.1.140.4: reply ok 28 lookup > ERROR: Permission denied > 10:57:20.615436 IP 192.168.1.140.1022 > 192.168.1.51.947: UDP, length 84 > 10:57:20.615677 IP 192.168.1.51.947 > 192.168.1.140.1022: UDP, length 60 > 10:57:20.615806 IP 192.168.1.140.6 > 192.168.1.51.2049: 100 lookup fh > 1197,150310/6618112 "boot" > 10:57:20.615824 IP 192.168.1.51.2049 > 192.168.1.140.6: reply ok 28 lookup > ERROR: Permission denied > 10:57:20.615929 IP 192.168.1.140.1021 > 192.168.1.51.947: UDP, length 84 > 10:57:20.616164 IP 192.168.1.51.947 > 192.168.1.140.1021: UDP, length 60 > 10:57:20.616308 IP 192.168.1.140.8 > 192.168.1.51.2049: 100 lookup fh > 1197,150310/6618112 "boot" > 10:57:20.616327 IP 192.168.1.51.2049 > 192.168.1.140.8: reply ok 28 lookup > ERROR: Permission denied > 10:57:20.616428 IP 192.168.1.140.1020 > 192.168.1.51.947: UDP, length 84 > 10:57:20.616660 IP 192.168.1.51.947 > 192.168.1.140.1020: UDP, length 60 > {...repeat until client gives up...} > > Feb 19 10:57:20 icarus dhcpd: DHCPDISCOVER from 00:30:48:71:60:6b via em0 > Feb 19 10:57:20 icarus dhcpd: DHCPOFFER on 192.168.1.140 to 00:30:48:71:60:6b > via em0 > Feb 19 10:57:20 icarus dhcpd: DHCPREQUEST for 192.168.1.140 (192.168.1.51) > from 00:30:48:71:60:6b via em0 > Feb 19 10:57:20 icarus dhcpd: DHCPACK on 192.168.1.140 to 00:30:48:71:60:6b > via em0 > Feb 19 10:57:20 icarus rpcbind: connect from 192.168.1.140 to > getport/addr(mountd) > Feb 19 10:57:20 icarus mountd[1474]: mount request succeeded from > 192.168.1.140 for /usr/local/freebsd8 > Feb 19 10:57:20 icarus rpcbind: connect from 192.168.1.140 to > getport/addr(nfs) > Feb 19 10:57:20 icarus mountd[1474]: mount request succeeded from > 192.168.1.140 for /usr/local/freebsd8 > Feb 19 10:57:21 icarus last message repeated 34 times > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
