linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Rights and owner problem on NFSv4 referrals
@ 2020-11-06  8:20 Prunk Dump
  0 siblings, 0 replies; only message in thread
From: Prunk Dump @ 2020-11-06  8:20 UTC (permalink / raw)
  To: linux-nfs

Hello !
I need some help with NFSv4 referrals.

Here my setup :

I have a NFSv4 server "myserverA" thats export some directory tree
that contain a referral like this :
/srv/nfs4    172.16.0.0/16(fsid=0,crossmnt,sec=krb5,rw,async,no_subtree_check)
/srv/nfs4/share/mydirA  172.16.0.0/16(sec=krb5,rw,async,no_subtree_check)
/srv/nfs4/share/mydirB
172.16.0.0/16(sec=krb5,rw,async,no_subtree_check,refer=/share/mydirB@myserverB)

The /srv/nfs4/share/mydirA directory is bind mounted to some place on
the same server.
The /srv/nfs4/share/mydirB is bind mounted to itself as it refers to
server "myserverB".

The server "myserverB" exports are similar :
/srv/nfs4    172.16.0.0/16(fsid=0,crossmnt,sec=krb5,rw,async,no_subtree_check)
/srv/nfs4/share/mydirA
172.16.0.0/16(sec=krb5,rw,async,no_subtree_check,refer=/share/mydirA@myserverA)
/srv/nfs4/share/mydirB  172.16.0.0/16(sec=krb5,rw,async,no_subtree_check)

If I don't use NFS referrals, everythings works fine on my setup. But
if I mount from a client the tree exported by myserverA, I get wrong
permissions. For example :

~# mount -t nfs4 myserverA:/ /mountdir
~# ls -al  /mountdir
drwxrwxr-x    root    myldapgroup    mydirA
dr-xr-xr-x    4294967294    4294967294 mydirB

Normally mydirA and mydirB have exactly the same permissions. Now if I
list the mydirB content from the client, it automatically mounts the
"myserverB" tree and the permission becomes OK.

~# ls /mountdir/mydirB
... some files/dirs
~# ls -al  /mountdir
drwxrwxr-x    root    myldapgroup    mydirA
drwxrwxr-x    root    myldapgroup    mydirB

So this is not an ID mapping problem.

You may say "Ok where is the problem ?". The problem is that some
applications check if they can write to a directory before listing its
content and don't check the rights again after. So here for example,
the members of "myldapgroup" can't write to "mydirB" with some
applications. They need to try to write two times :
-> The first time, the rights are badly read and the referral is
mounted by the kernel, but the application doesn't want to write as it
thinks that there is no write access.
-> The second time, the rights are correctly read because the referral
is mounted, so the application accepts to write inside the "mydirB"
folder.

It seems normal to me that the client doesn't mount the mydirB
referral only to list the parent directly content. Otherwize if the
directory contains many referrals, all the servers need to be
contacted just to list the directory content.

It seems also normal to me that the "myserverA" server doesn't contact
continuously all the servers for each referrals it exports to check
the permissions of the directories exported.

But it may be a way to set the right permission manually on the server
that exports the referral. I have tested. On the "myserverA" server,
changing the rights of the /srv/nfs4/share/mydirB directory (the one
bind mounted to itself) changes nothing on the client side (so change
nothing on the way the parent directory is exported by the server).

Is there a way to setup the "myserverA" server so that it gives the
wanted permission on referrals when a client lists the parent
directory ?

Thanks !

Baptiste.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-11-06  8:21 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-06  8:20 Rights and owner problem on NFSv4 referrals Prunk Dump

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).