# NFSv4 and filesystem permissions question



## RattleAndHum (Sep 4, 2013)

Hello list,

I have a question about NFSv4 and filesystem permissions. First I will explain the setup.

Both the NFS client host and the NFS server host run FreeBSD 9.1p5. The NFS client runs on network A (10.16.11.0/24) and the NFS server runs on network B (10.16.1.0/24). Subnets A and B are seperated by a firewall (also FreeBSD with PF). The NFS client host has a FQDN of hostnameA.dmz.domain.com. The NFS server has a FQDN of hostnameB.intra.domain.com. The firewall allows TCP port 2049 from the NFS client to the NFS server. No traffic is blocked on the firewall for traffic from the NFS client host to the NFS server host.

The /etc/rc.conf of the NFS server looks like this (only NFS related items shown):

```
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4 -h 172.16.1.211"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
rpcbind_enable="YES"
rpcbind_flags="-h 172.16.1.211"
mountd_enable="YES"
mountd_flags="-r"
```

The /etc/exports of the NFS server looks like this:

```
/var/nfs/www -alldirs -maproot=root -network 10.16.11.0/24
V4: /
```

The /etc/rc.conf of the NFS client looks like this (only NFS related items shown):

```
nfs_client_enable="YES"
nfsuserd_enable="YES"
```

The /etc/fstab of the NFS client looks like this:

```
# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad4s1b             none            swap    sw              0       0
/dev/ad4s1a             /               ufs     rw              1       1
/dev/ad4s1f             /home           ufs     rw              2       2
/dev/ad4s1g             /tmp            ufs     rw              2       2
/dev/ad4s1d             /usr            ufs     rw              2       2
/dev/ad4s1e             /var            ufs     rw              2       2
/dev/acd0               /cdrom          cd9660  ro,noauto       0       0
hostnameB:/var/nfs/www /var/www nfs rw,nfsv4,late 0 0
```

The NFS client has an entry for hostnameB in the /etc/hosts file:

```
10.16.1.211            hostnameB.intra.domain.com hostnameB
```

NFS start nicely on my NFS server. The NFS client mounts the NFS share nicely. When the NFS client boots I see the following in my PF logs:

```
2013-09-04 09:52:44.358943 rule 63/0(match): pass in on em3: 10.16.11.201.955 > 10.16.1.211.2049: [|tcp]
2013-09-04 09:52:44.359090 rule 170/0(match): pass out on em0: 10.16.11.201.955 > 10.16.1.211.2049: [|tcp]
2013-09-04 09:52:44.368505 rule 63/0(match): pass in on em3: 10.16.11.201.20485 > 10.16.1.211.2049: [|tcp]
2013-09-04 09:52:44.368594 rule 170/0(match): pass out on em0: 10.16.11.201.20485 > 10.16.1.211.2049:  tcp 28 [bad hdr length 0 - too short, < 20]
```

Now my problem.

When I do a directory listing on my NFS client of the NFS share I see the following:

```
user@hostnameA user $ ls -sla /var/www
total 4K
2K drwxr-xr-x  2 32767 32767 512 Sep  4 10:28 .
2K drwxr-xr-x 25 root  wheel 512 Sep  4 09:52 ..
```

The directory listing on the NFS server shows:

```
user@hostnameB user $ ls -sla /var/nfs/www/
total 4K
2K drwxr-xr-x 2 32767 32767 512 Sep  4 10:28 .
2K drwxr-xr-x 3 root  wheel 512 Aug 19 05:51 ..
```

I expected the directory /var/www on the NFS client to be owned by root:wheel. In the end I want to create a directory structure on the NFS share for another user user1. If I am correctly this user must exists on both the NFS client and the NFS server with the same ID. The nfsuserd daemon then takes care of the mapping. Why are the numbers 32767 used here? Is it because I use two different domains for the NFS clinet and NFS server? Do I have to use the --domain option for the nfsuserd daemon?

Thank you in advance for your feedback.

Regards,
Lars.


----------



## RattleAndHum (Sep 4, 2013)

Hello list forum,

This was resolved by setting the -domain option for nfsuserd to intra.domain.com for both the NFS client and the NFS server! I got to this after carefully reading the nfsuserd man page.

Regards,
Lars.


----------



## junovitch@ (Sep 5, 2013)

Another helpful tip for debugging this if you hadn't already found it would be setting the verbose flag.


```
nfsuserd_flags="-verbose"
```

I have found that Linux's implementations (called idmapd) support name and UID while the FreeBSD nfsuserd implementation is names only.  I have seen some cases of using rsync to an NFS share will result in Linux using UID @domain.name and that not being found even though the user name does exist on both.


----------

