LinuxQuestions.org - [SOLVED] NFS mounts always as user nobody on Centos

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - NFS mounts always as user nobody on Centos (https://www.linuxquestions.org/questions/linux-server-73/nfs-mounts-always-as-user-nobody-on-centos-4175419723/)

NFS mounts always as user nobody on Centos

Hi,

I want to use an NFS exported directory on a server aimed for FTP file upload. For this, the mounted NFS directory needs to have the same user/group as indicated in the FTP settings. However, the NFS share only mounts as user 'nobody', but I need user 'galaxy'.

The FTP server is a virtual machine, running CentOS release 6.2 (Final).
The NFS server is the host of the virtual machine, running Red Hat Enterprise Linux Server release 6.3 (Santiago).

NFS is both version 4.

On the NFS server

The user:

Code:

#id galaxy

uid=600(galaxy) gid=601(galaxy) groups=601(galaxy)

The export settings:

Code:

# cat /etc/exports

...

/mnt/galdb-bitsprod/database 192.168.x.x(rw,all_squash,anonuid=600,anongid=601)

...

The exported directory permissions:

Code:

# ll -d /mnt/galdb-bitsprod/database/

drwxrwxr-x 10 galaxy galaxy 4096 Jul 13 10:50 /mnt/galdb-bitsprod/database/

NFS is running:

Code:

# service nfs status

rpc.svcgssd is stopped

rpc.mountd (pid 16318) is running...

nfsd (pid 16383 16382 16381 16380 16379 16378 16377 16376) is running...

rpc.rquotad (pid 16314) is running...

Code:

# service rpcidmapd status

rpc.idmapd (pid 16369) is running...

On the FTP server

The user:

Code:

# id galaxy

uid=600(galaxy) gid=601(galaxy) groups=601(galaxy)

Somebody said this service needs to be running (to map ids?):

Code:

# service rpcidmapd status

rpc.idmapd (pid 1932) is running...

NFS exported directory is visible:

Code:

# showmount -e nfsserver

/mnt/galdb-bitsprod/database 192.168.x.x

NFS exported directory entry in fstab:

Code:

# cat /etc/fstab

# Galaxy Database

192.168.x.x:/mnt/galdb-bitsprod/database        /mnt/galaxydb        nfs rw,exec,auto        0 0

Permissions after mounting the directory:

Code:

#mount /mnt/galaxydb

#ll -d /mnt/galaxydb

drwxrwxr-x 10 nobody nobody 4096 Jul 13 10:50 /mnt/galaxydb/

Small note: the folder on the FTP server to which I mount, belongs to user and group 'galaxy'. The problem hence: after mounting the folder is from user nobody, and it needs to be 'galaxy'.

What I have tried:
- google :-) (actually, most of what I have already comes from this)
- changed a bit the mount options in fstab: user, and users (but these are only setting the permissions of who can mount)

Very often, the solution pops up in my head after writing so much down... Not this time unfortunately. Looking for some assistance here.

Cheers!
Joachim

That is what the all_squash export option does.

Oh, I missed the anonuid options.

Could you post your /etc/idmap.conf file?

On the NFS server:

Code:

# cat /etc/idmapd.conf 

[General]

#Verbosity = 0

# The following should be set to the local NFSv4 domain name

# The default is the host's DNS domain name.

#Domain = local.domain.edu



# The following is a comma-separated list of Kerberos realm

# names that should be considered to be equivalent to the

# local realm, such that <user>@REALM.A can be assumed to

# be the same user as <user>@REALM.B

# If not specified, the default local realm is the domain name,

# which defaults to the host's DNS domain name,

# translated to upper-case.

# Note that if this value is specified, the local realm name

# must be included in the list!

#Local-Realms = 



[Mapping]



Nobody-User = nobody

Nobody-Group = nobody



[Translation]



# Translation Method is an comma-separated, ordered list of

# translation methods that can be used.  Distributed methods

# include "nsswitch", "umich_ldap", and "static".  Each method

# is a dynamically loadable plugin library.

# New methods may be defined and inserted in the list.

# The default is "nsswitch".

Method = nsswitch



# Optional.  This is a comma-separated, ordered list of

# translation methods to be used for translating GSS

# authenticated names to ids.

# If this option is omitted, the same methods as those

# specified in "Method" are used.

#GSS-Methods = <alternate method list for translating GSS names>

 

#-------------------------------------------------------------------#

# The following are used only for the "static" Translation Method.

#-------------------------------------------------------------------#

#[Static]



# A "static" list of GSS-Authenticated names to

# local user name mappings



#someuser@REALM = localuser





#-------------------------------------------------------------------#

# The following are used only for the "umich_ldap" Translation Method.

#-------------------------------------------------------------------#



#[UMICH_SCHEMA]



# server information (REQUIRED)

#LDAP_server = ldap-server.local.domain.edu



# the default search base (REQUIRED)

#LDAP_base = dc=local,dc=domain,dc=edu



#-----------------------------------------------------------#

# The remaining options have defaults (as shown)

# and are therefore not required.

#-----------------------------------------------------------#



# whether or not to perform canonicalization on the

# name given as LDAP_server

#LDAP_canonicalize_name = true



# absolute search base for (people) accounts

#LDAP_people_base = <LDAP_base>



# absolute search base for groups

#LDAP_group_base = <LDAP_base>



# Set to true to enable SSL - anything else is not enabled

#LDAP_use_ssl = false



# You must specify a CA certificate location if you enable SSL

#LDAP_ca_cert = /etc/ldapca.cert



# Objectclass mapping information



# Mapping for the person (account) object class

#NFSv4_person_objectclass = NFSv4RemotePerson



# Mapping for the nfsv4name attribute the person object

#NFSv4_name_attr = NFSv4Name



# Mapping for the UID number

#NFSv4_uid_attr = UIDNumber



# Mapping for the GSSAPI Principal name

#GSS_principal_attr = GSSAuthName



# Mapping for the account name attribute (usually uid)

# The value for this attribute must match the value of 

# the group member attribute - NFSv4_member_attr

#NFSv4_acctname_attr = uid



# Mapping for the group object class

#NFSv4_group_objectclass = NFSv4RemoteGroup



# Mapping for the GID attribute

#NFSv4_gid_attr = GIDNumber



# Mapping for the Group NFSv4 name

#NFSv4_group_attr = NFSv4Name



# Mapping for the Group member attribute (usually memberUID)

# The value of this attribute must match the value of NFSv4_acctname_attr

#NFSv4_member_attr = memberUID

On the FTP server that has mounted the nfs share:

Code:

# cat /etc/idmapd.conf 

[General]

#Verbosity = 0

# The following should be set to the local NFSv4 domain name

# The default is the host's DNS domain name.

#Domain = local.domain.edu



# The following is a comma-separated list of Kerberos realm

# names that should be considered to be equivalent to the

# local realm, such that <user>@REALM.A can be assumed to

# be the same user as <user>@REALM.B

# If not specified, the default local realm is the domain name,

# which defaults to the host's DNS domain name,

# translated to upper-case.

# Note that if this value is specified, the local realm name

# must be included in the list!

#Local-Realms = 



[Mapping]



Nobody-User = nobody

Nobody-Group = nobody



[Translation]



# Translation Method is an comma-separated, ordered list of

# translation methods that can be used.  Distributed methods

# include "nsswitch", "umich_ldap", and "static".  Each method

# is a dynamically loadable plugin library.

# New methods may be defined and inserted in the list.

# The default is "nsswitch".

Method = nsswitch



# Optional.  This is a comma-separated, ordered list of

# translation methods to be used for translating GSS

# authenticated names to ids.

# If this option is omitted, the same methods as those

# specified in "Method" are used.

#GSS-Methods = <alternate method list for translating GSS names>

 

#-------------------------------------------------------------------#

# The following are used only for the "static" Translation Method.

#-------------------------------------------------------------------#

#[Static]



# A "static" list of GSS-Authenticated names to

# local user name mappings



#someuser@REALM = localuser





#-------------------------------------------------------------------#

# The following are used only for the "umich_ldap" Translation Method.

#-------------------------------------------------------------------#



#[UMICH_SCHEMA]



# server information (REQUIRED)

#LDAP_server = ldap-server.local.domain.edu



# the default search base (REQUIRED)

#LDAP_base = dc=local,dc=domain,dc=edu



#-----------------------------------------------------------#

# The remaining options have defaults (as shown)

# and are therefore not required.

#-----------------------------------------------------------#



# whether or not to perform canonicalization on the

# name given as LDAP_server

#LDAP_canonicalize_name = true



# absolute search base for (people) accounts

#LDAP_people_base = <LDAP_base>



# absolute search base for groups

#LDAP_group_base = <LDAP_base>



# Set to true to enable SSL - anything else is not enabled

#LDAP_use_ssl = false



# You must specify a CA certificate location if you enable SSL

#LDAP_ca_cert = /etc/ldapca.cert



# Objectclass mapping information



# Mapping for the person (account) object class

#NFSv4_person_objectclass = NFSv4RemotePerson



# Mapping for the nfsv4name attribute the person object

#NFSv4_name_attr = NFSv4Name



# Mapping for the UID number

#NFSv4_uid_attr = UIDNumber



# Mapping for the GSSAPI Principal name

#GSS_principal_attr = GSSAuthName



# Mapping for the account name attribute (usually uid)

# The value for this attribute must match the value of 

# the group member attribute - NFSv4_member_attr

#NFSv4_acctname_attr = uid



# Mapping for the group object class

#NFSv4_group_objectclass = NFSv4RemoteGroup



# Mapping for the GID attribute

#NFSv4_gid_attr = GIDNumber



# Mapping for the Group NFSv4 name

#NFSv4_group_attr = NFSv4Name



# Mapping for the Group member attribute (usually memberUID)

# The value of this attribute must match the value of NFSv4_acctname_attr

#NFSv4_member_attr = memberUID

Note, I did not change anything in here yet.

Ok, thanks for the hint to /etc/idmapd.conf.

I have changed both on the nfs server as on mounting server this line:

Code:

[Mapping]



Nobody-User = nobody

Nobody-Group = nobody

Code:

[Mapping]



Nobody-User = galaxy

Nobody-Group = galaxy

Next,

Code:

# service rpcidmapd restart

Stopping RPC idmapd:                                      [  OK  ]

Starting RPC idmapd:                                      [  OK  ]

I am doing the right thing here? If I understand correctly, all users mounting nfs will be given the galaxy user. This is a normal user. How would I be able to set this more granularly?

I was going to suggest changing the line:
#Domain = local.domain.edu
to
Domain=localdomain

It is how mine is. The idmapd.conf manpage states:

Quote:

[Mapping] section variables
Nobody-User
Local user name to be used when a mapping cannot be completed.

Nobody-Group
Local group name to be used when a mapping cannot be completed.

A blog I read stated that an error in the domain name will cause mapping to fail. Your solution might work indirectly. I had the same idea you had, but couldn't back it up with any examples. They all keep the default Nobody-User, or use nfsuser instead which has the same UID.

Awfully lot of thanks! This made it! Now I feel more comfortable to dig into the man pages ;-)

So, in my cookbook, the main ingredients for success with NFS:
1. make sure ids on host and client are identical
2. make sure the domain names are correctly set

For NFS4, you need all shares under an nfs root directory. This takes more work, using -bind or -rbind mounts, mounting one directory over another. Client mount commands (or the fstab entry) will use server:share instead of the full path.

Good Luck!

Hello, I am having a similar problem. I have host server with all users' folders in one directory. When i mount the folder from a client server, I am getting all folders owned by "nobody". If I mention in the idmapd.conf file about NFSv4_gid_attr, I get the group that all the folders belong to. But I am getting all nobody for "owner". How do I set up for all the users (about 15 of them). I need HELP. Thanks in advance. Naz Husain