3

I use the following setup:

NFS Server (Ubuntu 16.04 LTS)

  • nfs-common 1:1.2.8-6ubuntu1.2
  • nfs-kernel-server 1:1.2.8-6ubuntu1.2
  • user: test (uid=1300)

NFS Client

  • nfs-common 1:1.3.4-2.1
  • user: testmf (uid=1350)

On the client side, the user test exists with the same UID as in the server side. But I need to use the user testmf and not the test one.

I have read a lot documentation, and answers from StackOverflow/StackExchange, and for some reasons nothing works for me.

One of the many answers is to change the file /etc/idmapd.conf.

So here it is on both side:

Server

[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain

[Mapping]    
Nobody-User = nobody
Nobody-Group = nogroup

On the client side:

[General]
Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
Domain = example.com

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static

[Static]
test@nfsserver.example.com = testmf
test@192.168.0.1 = testmf
test@nfsserver = testmf

And I use such command to mount the directory on the client:

mount 192.168.0.1:/home/test/my_exp_dir /home/testmf/my_imp_dir

And when I do a ls -l /home/testmf/my_imp_dir I get something like that:

-rw-r--r-- 1 test test  326025780 May  9  2017 allCountries.zip

and NOT

-rw-r--r-- 1 testmf testmf  326025780 May  9  2017 allCountries.zip

If I do a this point a touch testfile I get that:

-rw-r--r-- 1 test test  326025780 May  9  2017 allCountries.zip
-rw-r--r-- 1 testmf testmf      0 Jun  9  18:57 testfile

Or ls -ln

-rw-r--r-- 1 1300 1300  326025780 May  9  2017 allCountries.zip
-rw-r--r-- 1 1350 1350          0 Jun  9  18:57 testfile

I tried to increase the level of verbosity, and nowhere in my logs I can see the mapping of users from one UID to another like I could see on some answers. The two things I could see is that the kernel setting /sys/module/nfs/parameters/nfs4_disable_idmapping was set to Y and even after changing to N, nothing seems to work.

The second thing that I have found is the 2 entries doesn't exist on my client server:

  • /proc/net/rpc/nfs4.nametoid
  • /proc/net/rpc/nfs4.idtoname

And I don't know how to add it, especially if the nfsidmap is not available.

I have read that I also need to restart the idmapd service after that change. But in Debian 9 there it is not possible... Or at least I have not found how to do it...

I have also changed the file /etc/default/nfs-common to set the variable NEED_IDMAPD=yes and it doesn't do anything, even after a reboot...

So my question is maybe quite dumb, but how can I activate nfsidmapd on Debian Stretch? I am really out of option, search keywords and the official documentation of Debian is not really helpful here, except if I am totally blind!

Thank you in advance for your help.

Alessandro Perucchi
  • 61
  • 1
  • 8

2 Answers2

7

There is a big confusion with nfs id mapping. The mapping used when a string form principal, like test@example.com, have to be converted into a numeric id and vise versa. However, when you mount with sec=sys, which you obviously do, then all request are authenticated with client's local UID and GIDs. IOW, on touch UID of the client process will be the file owner on the server.

The second confusion, is that Static can be used to define a static mapping. According man page:

The "static" translation method uses a static list of GSS-Authenticated names to local user names.

Which literally expects GSS-Authenticated principals:

 if (strcmp(secname, "krb5") != 0 && strcmp(secname, "spkm3") != 0)
     return -EINVAL;

http://git.linux-nfs.org/?p=trondmy/libnfsidmap.git;a=blob;f=static.c;h=fffd4580847d2577d3fb9638a246069bdb8f12b5;hb=HEAD#l118

As too many people require static mapping, this, probably, have to be fixed, however, you can't fix fig the usage of process UID.

To solve it in NFS friendly way, the best option will be use of kerberos and mount with sec=krb5. In this case you process can run with kerberos ticket for one user, but still have locally a different UID. In such scenario a static mapping can be used to avoid usage of LDAP.

kofemann
  • 4,308
  • 1
  • 21
  • 27
  • 1
    Thank you, I have solved my issue by using groups, and having g+s on the directories. And using kerberos is not something I want to fiddle with at the moment! – Alessandro Perucchi Jun 12 '18 at 08:32
  • I don't know how to close the question, should I put your answer as solution, even if I didn't use it? Or is it better that I answer my own question with what I did? – Alessandro Perucchi Jun 12 '18 at 08:34
  • @AlessandroPerucchi leave it as is. - the answer didn't solve your question. However, you can write your own answer and mark it as a solution. – kofemann Jun 13 '18 at 15:13
1

Well this is my answer, maybe not exactly what I wanted, but at least it solved my problem and I go on.

Basically I have ensured that every users were part of the same group with the same GID on all servers involved. Then I've set the group ID of all directories in the shared directory with a :

find /share-dir -type d -exec chmod g+s {} \;

I've also checked that the umask was set to 007 instead of 022, 027.

Alessandro Perucchi
  • 61
  • 1
  • 8