Bug#601550: [nfs-kernel-server] Root is always squashed when using sec=gss/krb5

To: submit@bugs.debian.org
Subject: Bug#601550: [nfs-kernel-server] Root is always squashed when using sec=gss/krb5
From: ares <ares@igloonet.cz>
Date: Wed, 27 Oct 2010 10:31:55 +0200
Message-id: <[🔎] 201010271031.55609.ares@igloonet.cz>
Reply-to: ares <ares@igloonet.cz>, 601550@bugs.debian.org

Package: nfs-kernel-server
Version: 1:1.1.2-6lenny2
Severity: normal

--- Please enter the report below this line. ---
I have a NFSv4 server exports configured as follows:
/export       
gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check,async)
/export/users 
gss/krb5(rw,nohide,insecure,no_root_squash,no_subtree_check,async)

On the other side I have clients with autofs configration like:
*       -fstype=nfs4,rw,soft,intr,bg,nosuid,nodev,sec=krb5,port=2049,proto=tcp  
nfs.mydomain.cz:/users/&

Everythink works great for regular users but when root is always squashed even 
when I set no_root_squash. I tried a configuration without kerberos and it 
worked as expected (I just removed gss/krb5 and sec=krb5 from configurations). 
Using kerberos root is always mapped to nobody:nogroup. Output from idmapd:

root@server# rpc.idmapd -c /etc/idmapd.conf -f -vvv
rpc.idmapd: libnfsidmap: using domain: localdomain

rpc.idmapd: libnfsidmap: using translation method: nsswitch

rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=user
rpc.idmapd:  Server: (user) id "0" -> name "root@localdomain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=group
rpc.idmapd:  Server: (group) id "0" -> name "root@localdomain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=user
rpc.idmapd:  Server: (user) id "2000" -> name "ares@localdomain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5 authtype=group
rpc.idmapd:  Server: (group) id "2000" -> name "ares@localdomain"

--- System information. ---
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) (ignored: 
LC_ALL set to cs_CZ.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfs-kernel-server depends on:
ii  libblkid1       1.41.3-1                 block device id library
ii  libc6           2.7-18lenny6             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libgssglue1     0.1-2                    mechanism-switch gssapi library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries
ii  libnfsidmap2    0.20-1                   An nfs idmapping library
ii  librpcsecgss3   0.18-1                   allows secure rpc communication 
us
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers 
libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init 
scrip
ii  nfs-common      1:1.1.2-6lenny2          NFS support files common to client
ii  ucf             3.0016                   Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

Reply to:

Prev by Date: Bug#600992: further logs
Next by Date: Bug#597904: phonet/chromium kernel oops still in 2.6.32-26
Previous by thread: 2.6.36-rc6: udev settle timeouts during rcS (audio-related?)
Next by thread: Bug#597904: phonet/chromium kernel oops still in 2.6.32-26
Index(es):
- Date
- Thread