View previous topic :: View next topic |
Author |
Message |
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Wed Feb 15, 2012 12:36 pm Post subject: [SOLVED]nfs idmap problems, nobody is owner of all files |
|
|
After a server was updated all home directories on the gentoo client gets nobody as owner. How to I debug idmap to make sure I get the right owner?
Last edited by pgu on Sat Feb 18, 2012 4:54 pm; edited 1 time in total |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Wed Feb 15, 2012 12:59 pm Post subject: |
|
|
I would make sure that idmapd is properly configured and running on both client and server. Without that nfsv4 just isn't going to do it's job right. If you've done an update, it's possible that it's either not running or has been de-configured on one or the other. At a minimum make sure the "Domain =" is set right. I also use non-standard "Nobody-User" and "Nobody-group". I don't know that idmapd.conf needs to exactly match on client and server, but I always find it easier if they do. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Wed Feb 15, 2012 3:25 pm Post subject: |
|
|
The server is working as other clients seem to handle it fine.
I see that rpc.idmapd is running. And the Domain is set correctly. Other clients (e.g. CentOS) is using "NEED_IDMAPD=yes" in /etc/default/nfs-common. I've done that, but I'm uncertain if that's the way it's done in Gentoo or if the NEED_IDMAPD is passed in /etc/conf.d/nfs or elsewhere? The latter has a NFS_NEEDED_SERVICES="rpc.idmapd" which is I assume is causing rpc.idmapd to start. |
|
Back to top |
|
|
LinuxTom l33t
Joined: 26 Mar 2006 Posts: 798
|
Posted: Sat Feb 18, 2012 11:53 am Post subject: |
|
|
Hello,
I have a problem that does not work for me the user and group mapping. See the configuration and log files here.
Configurationfile /etc/idmapd.conf for server and client:
Code: | #~ grep -v '^#' /etc/idmapd.conf | grep -v '^$'
[General]
Verbosity = 10
Domain = localdomain
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
[Mapping]
Nobody-User = vdr
Nobody-Group = vdr
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu |
Can anyone give me a hint? |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 2:53 pm Post subject: |
|
|
I tried to do a world update and installed kernel 3.2.1, but the only thing that happened is that the NFS automounter stopped working
If I NFS mount manually I can mount, but the group/owner of the mounted files are still not correct. So now I have two problems to fix |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 3:00 pm Post subject: |
|
|
pgu wrote: | I tried to do a world update and installed kernel 3.2.1, but the only thing that happened is that the NFS automounter stopped working
|
That was since auto.master had moved from /etc/ to /etc/autofs. So the automount of NFS works, but the idmap still does not...
Last edited by pgu on Sat Feb 18, 2012 3:21 pm; edited 1 time in total |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 3:05 pm Post subject: |
|
|
Are there any query tools which will check if the idmap is working correctly, or if the cause is that NFS does not care about idmap at all? |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 3:06 pm Post subject: |
|
|
Code: | grep -i idmap .config
CONFIG_NFS_USE_NEW_IDMAPPER=y
|
So it should be in the kernel... |
|
Back to top |
|
|
LinuxTom l33t
Joined: 26 Mar 2006 Posts: 798
|
Posted: Sat Feb 18, 2012 3:38 pm Post subject: |
|
|
Yes. Server and client.
Code: | zcat /proc/config.gz | grep -i CONFIG_NFS_USE_NEW_IDMAPPER
CONFIG_NFS_USE_NEW_IDMAPPER=y
|
|
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Sat Feb 18, 2012 3:44 pm Post subject: |
|
|
@pgu - One thought...
In your idmapd.conf you have "Domain = localdomain", but later on you have "LDAP_server = ldap-server.local.domain.edu". Assuming the latter is how you've really set things up, the first line should be "Domain = local.domain.edu".
@LinuxTom - I'm not familiar with "CONFIG_NFS_USE_IDMAPPER", and I see that I don't have it set. I'm currently running gentoo-sources-3.2.6, my nfsv4 mounts and idmapping are working correctly. Can you give more info about this new option, or point me at something to read about it? _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 4:11 pm Post subject: |
|
|
Hmm, maybe it's the "new" (whatever that means) idmapper which is the problem, I'll do a test without it... |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 4:24 pm Post subject: |
|
|
Code: | zcat /proc/config.gz | grep -i CONFIG_NFS_USE_NEW_IDMAPPER
# CONFIG_NFS_USE_NEW_IDMAPPER is not set |
Yep, that did it. Now it works |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 4:27 pm Post subject: |
|
|
except that now the other nfs mount shows up as nobody nobody, maybe one server is using the "new" feature set, and the other dont... |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 4:54 pm Post subject: |
|
|
I changed it to solved as it solved my problem related to the idmap setup |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Sat Feb 18, 2012 6:14 pm Post subject: |
|
|
pgu wrote: | I changed it to solved as it solved my problem related to the idmap setup |
Could you please summarize your solution. The post before last made it sound as if you had two mounts, and were able to get one or the other to work, but not both. I presume to call this [solved] you've got both working. What did it take?
I've looked a bit more into CONFIG_NFS_USE_NEW_IDMAPPER and find that there's new code, and it's "activated" by a new USE flag, "nfsidmap" that is new to nfs-utils-1.2.4 and beyond. Right now my system is at stable nfs-utils-1.2.3-r1, so it's irrelevant to me. At this point it's worth considering moving one system to the new nfs-utils, so I can get some early experience with it.
The really interesting thing about it is that it will allow you to substitute your own name/group<->uid/gid mapping. So-called "modern" Linux distributions don't give a lot of control over UIDs, especially the first UID after installation. Yet with any sort of network filesystem having consistent UID/GID across the "enterprise" (for me, my home lan) is necessary. It looks like something could be done here to allow per-system mapping. Of course that may be opening a can of worms, and maybe one is better off with the chore of harmonizing /etc/passwd and /etc/group. I wish current distros were better about this. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 7:13 pm Post subject: |
|
|
depontius wrote: | pgu wrote: | I changed it to solved as it solved my problem related to the idmap setup |
Could you please summarize your solution. The post before last made it sound as if you had two mounts, and were able to get one or the other to work, but not both. I presume to call this [solved] you've got both working. What did it take?
|
My solution only applied to one of them, which was good enough for me.
The solution was to disable the "new" scheme. But some other partition I'm mounting seem to depend upon this "new" feature, hence now I'm getting the same problem on the other partition. However, that's not a big problem as I mount this read only and most files have read access for "other".
But for somebody who need to mount two different servers (i.e. one "old", and one "new") with correct mappings this might be a problem. Since this appears to be a global kernel setting for the NFS client, there is no way to specify it differently for different NFS mount points.
If you don't think it was correct to mark it SOLVED, let me know and I'll revert. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Sat Feb 18, 2012 7:19 pm Post subject: |
|
|
So are you also saying that I'm going to need to upgrade my whole lan at the same time? I guess I figured that idmapping was a protocol-level thing, and new-vs-old was an in-box type of thing.
Crud - this may take some experimentation. I hate the very idea of trying to do a whole-lan all-must-work-together upgrade. It's bad enough that MythTV is pretty much that way, but at least my backend is on a "client" machine. I touch my servers very little. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sat Feb 18, 2012 7:35 pm Post subject: |
|
|
depontius wrote: | So are you also saying that I'm going to need to upgrade my whole lan at the same time? |
I think so, but I might be wrong as I'm just speculating. There might be some other solution as well. In my case I can't upgrade the whole lan as I have no control of some of the servers as they are managed by others using distros other than gentoo. |
|
Back to top |
|
|
LinuxTom l33t
Joined: 26 Mar 2006 Posts: 798
|
Posted: Sat Feb 18, 2012 7:43 pm Post subject: |
|
|
Thank, this is the solution for me. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Sat Feb 18, 2012 10:56 pm Post subject: |
|
|
Come to think of it, this doesn't ring right, to me. From what I can tell, the whole "USE=idmapd" thing is about how the kernel talks to userspace to map between usernames and UIDs, groupnames and GIDs. I don't believe it has anything to do with the over-the-wire protocol - that kind of thing wouldn't happen in such a minor version bump - from 1.2.3 to 1.2.4.
I would be much more inclined to compare the /etc/idmapd.conf files from the 2 servers, and see if they are consistent. Grep out all of the comments if you have to, but I'll be there's some sort of difference there, and it might also be worth comparing /etc/passwd and /etc/group between the 2 servers. That seems to be to be a far more likely source of "can only get one working at a time" than the mechanism of kernel<->userspace communication.
Now that it comes up, when I get time I'll have to take a system and move it to nfs-utils-1.2.5 and try this, just to be sure. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
pgu l33t
Joined: 30 Jul 2009 Posts: 721 Location: Oslo, Norway
|
Posted: Sun Feb 19, 2012 10:07 am Post subject: |
|
|
depontius wrote: | I would be much more inclined to compare the /etc/idmapd.conf files from the 2 servers, and see if they are consistent |
The server which I've setup might be misconfigured in some way. However, the only information found in the idmapd.conf on the two serves is basically the "Domain = " statement which contains the same domain for both servers. But there might be some differences in /etc/nsswitch which is causing this difference. When accessing local filesystems the user and group id's from NIS are correct. |
|
Back to top |
|
|
LinuxTom l33t
Joined: 26 Mar 2006 Posts: 798
|
Posted: Sun Feb 19, 2012 10:18 am Post subject: |
|
|
I have even a litte access problem. See here. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Sun Feb 19, 2012 12:11 pm Post subject: |
|
|
Are /etc/passwd and /etc/group between the various systems "harmonized"? I'm not even sure if this is necessary for nfs, considering the existence of the idmapper, but I also use afs at work, and it is for that. Therefore I've always done it on my home lan. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
LinuxTom l33t
Joined: 26 Mar 2006 Posts: 798
|
Posted: Sun Feb 19, 2012 12:25 pm Post subject: |
|
|
@depontius:
For passwords or id's or both? |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3518
|
Posted: Sun Feb 19, 2012 3:36 pm Post subject: |
|
|
I'm thinking primarily about keeping UID and GID matched. I generally match users' passwords as a matter of convenience and practicality, but I don't believe it's necessary for nfs. If I had more time etc, I'd have LDAP/Kerberos central authentication. I've tried a few times to do it, and bounced off. If I were to try again these days, I'm not sure if it would be more "practically educational" to try again with OpenLDAP and either MIT or Heimdal Kerberos, or to go with something like RedHat Directory Services. I first got into my "overgrown home lan" as a backup plan, training myself for alternate employment, a decade ago. In the years since my job has become much more secure. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
|