[SOLVED] NFS, how to align UID GID ?

blnl · 09-20-2014, 04:30 AM

CH3SNAS server uses following UID GID for user boris:

Code:

root@CH3SNAS:/mnt/HD_a2/DAT/SERVERS/lighttp/www/pages/stock_mkt# cat /etc/passwd | grep boris
boris:x:502:702:users:/home/ftp:/bin/sh

DNS-325 server uses following UID GID for user boris:

Code:

root@DNS-325:/mnt/HD/HD_a2/ffp/home/root# cat /etc/passwd | grep boris
boris:x:1005:504:Linux User,,,:/mnt/HD_a4/ftp/boris:/bin/sh

Please notice the UID:GID mismatch between the machines.

As a consequence, when CH3SNAS is mounted in DNS-325 the user and group are not recognized but UID:GID are displayed instead.

Code:

root@DNS-325:/mnt/HD/HD_a2/ffp/home/root# ll /nfs/TMP/*DNS* 
-rw-r--r-- 1 502 702 4.9K Jul 12 12:06 /nfs/TMP/backup1_DNS-325
-rw-r--r-- 1 502 702 4.9K Jul 12 20:37 /nfs/TMP/backup2_DNS-325
-rw-r--r-- 1 502 702 5.0K Jul 12 21:53 /nfs/TMP/backup3_DNS-325
-rw-r--r-- 1 502 702 5.0K Jul 14 21:59 /nfs/TMP/backup4_DNS-325

To make things worse my Ubuntu machine uses yet another UID:GID for the same user.

Code:

boris@dc7100hp:~$ cat /etc/passwd | grep boris
boris:x:1000:1000:Linux User,,,:/home/boris:/bin/bash

I did not even have an opportunity to chose UID:GID for all these machines. They were chosen for me by the system.

What options are available to align UID:GID over different systems (without causing catastrophic failure/data loss)?

I already tried using map_static (as explained here: NFS uid/gid mapping), but without success:

Code:

root@DNS-325:/mnt/HD/HD_a2/ffp/home/root# exportfs -r
exportfs: /etc/exports:1: unknown keyword "map_static=/etc/nfs.map"

Are there any alternatives available?

smallpond · 09-20-2014, 08:04 AM

Nfs4 let's you map different ids on each system. It will take some setup, though.

suicidaleggroll · 09-20-2014, 09:20 AM

Or you could just change them, it's not terribly difficult. Those UID/GID were chosen by the system because you LET IT choose them. This is one of those instances where if you need the UID/GID to be set explicitly, then you need to set it explicitly, you shouldn't just sit back and hope that the system automatically chooses the correct values, because 99.99% of the time it won't (it doesn't know the context, there's no way for it to know what the correct values would be).

Log out of the machine, switch to a TTY (Ctrl + Alt + F2-6), log in as root. Use "w" to confirm the user account is not logged in, unmount all of your NFS mounts, and then run the following:

Code:

usermod -u newID "user"
groupmod -g newID "group"
find / -user oldID -exec chown newID {} \;
find / -group oldID -exec chgrp newID {} \;

Where "user" and "group" are the user/group names, oldID is the old ID (UID or GID, as the case may be), and newID is the new ID.

This will change the user's ID to what you tell it, and then find any files on the system matching the old ID and switch them to the new ID. You'll also need to change the default group for your user to the new GID.

Once it's done, log back in and you're good to go. Run this on each machine and each user where it's a problem, and you'll be fixing the issue at its source without any hacks or work-arounds. And in the future, if you know you'll be using NFS, then pay attention to UID/GID when setting up new users. Every Linux system I've used lets you specify the UID/GID when setting up a new user, it only "randomly picks one" when you don't bother to set it.

blnl · 09-20-2014, 03:35 PM

Quote:

Originally Posted by suicidaleggroll

Or you could just change them, it's not terribly difficult.
...

That is indeed what I did with my Fedora system to allign with CH3SNAS.

Code:

init 1

cp /etc/passwd /etc/passwd.bak
cp /etc/group /etc/group.bak

groupmod -g 702 users
usermod -u 502 boris
usermod -g 702 boris
groupdel boris

find / -user 1000 -exec chown -h 502 {} \;
find / -group 1000 -exec chgrp -h 702 {} \;

init 5

However, if I try to do the same with my other NAS (DNS-325), I must be absolutely sure that it goes right.
Are there some UID GID ranges that I should avoid using? (i.e. reserved for system processes)

suicidaleggroll · 09-20-2014, 03:42 PM

Unfortunately every OS is different in that regard. I think it's probably pretty safe to assume that any ID not currently in use on a NAS system is not going to be used, since it's not like you or anyone else is going to be going around setting up new services on a dedicated NAS box. However I can't be 100% sure about that.

blnl · 09-20-2014, 04:05 PM

Quote:

Originally Posted by suicidaleggroll

Unfortunately every OS is different in that regard. I think it's probably pretty safe to assume that any ID not currently in use on a NAS system is not going to be used, since it's not like you or anyone else is going to be going around setting up new services on a dedicated NAS box. However I can't be 100% sure about that.

That is not so good news. I'm planning to set-up new services on my new NAS.
lighttpd, openvpn, squid, twonky, transmission, subversion, rsync, are in the pipeline.

By the way I see what you mean, sshd has different UID:GID on two NAS stations.

Code:

root@CH3SNAS:/mnt/HD_a2/ffp/home/root# grep ssh /etc/passwd
sshd:x:33:33:sshd:/:/bin/false

Code:

root@DNS-325:/mnt/HD/HD_a2/ffp/home/root# grep ssh /etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

astrogeek · 09-20-2014, 04:32 PM

I think for most sane distros anything not already in use above 1000 is safe.

Also, for most sane distros and embedded systems, the bottom of the range, 0...> is used for special UIDs/GIDs, system services, etc. zero being root by definition. For a NAS I would imagine that would stay below a hundred or so.

Of course as the eggroll says, you can only really tell by looking.

For my own machines and users, I maintain a central makeusers script that I use to create or add all users and groups to system under my care.

It is fairly simple and simply defines a list of users, groups and their UID/GID, and any default options such as home path, shell, nologin, etc. When I install a new machine or need to add a user or group to an existing one, I comment out or add new entries as needed, copy it over then run it.

My script does not currently check whether one already exists, have intended to add that to it... but for a few dozen entries it is really not difficult to manage - you don't add or change users every day (at least I don't...).

blnl · 09-21-2014, 09:13 AM

Anyone of you has done this on Ubuntu?

Today I have migrated UID and GID on my Ubuntu system, but it is not 100% success.
I performed the very same procedure that I normally do on my Fedora system.

Code:

cp /etc/passwd /etc/passwd.bak
cp /etc/group /etc/group.bak

groupmod -g 702 users
usermod -u 502 -g 702 boris 
groupdel boris

find / -user 1000 -exec chown -h 502 {} \;
find / -group 1000 -exec chgrp -h 702 {} \;

reboot -f --verbose

After reboot I can still log-in as user "boris". Besides a slightly different log-in screen (no user is pre-selected, no usual background), everything else seems to be normal. Then I noticed that the User Profile (in System Settings > User Accounts) has completely disappeared. (see the screen-shot)
There used to be something like this before > screen-shot.

I have chosen 502:702 because my NAS and Fedora machine are both using these values (also yesterday I successfully migrated my 2nd NAS to these values).
Ubuntu is somehow different, I do not understand why. I did check before performing this operation, neither UID=502 nor GID=702 are being used by the system.

I'm planning to add more Ubuntu users to experiment with this until I get it right.
Some advice would be more than welcome.
What step(s) am I missing? Any suggestions?

blnl · 10-05-2014, 12:13 PM

Although the procedure failed for Ubuntu, I thrust this solution based on successful implementation on Fedora and DNS-325 NAS. Therefore I'm marking this thread as solved.

suicidaleggroll · 10-05-2014, 02:06 PM

I don't use Ubuntu, so I can't really comment on why it didn't work there, though I have done this extensively on Fedora, CentOS, RHEL, and OpenSUSE. Maybe there was something about the UID/GID you were attempting to use on that Ubuntu box?