Advice on NFSv4 share/mount

toledotown · 01-25-2018, 12:37 PM

Hello All.

Big newbie to the linux server world here but I am learning.

I have a setup which has me running in circles. A new server (NFS client) needs to connect to an existing server (NFS server).

/etc/exports looks like this:

/path/output servername.ourdomain.com(rw,fsid=0,async,anonuid=2068,anongid=1000)

And the directory permissions on the NFS server shared directory looks like:

drwxrws--- 3 oracle users 25 Jan 20 05:00 output

So I am slightly confused as I know the SETUID bit on the directory allows the group to run programs as the user, and the exports line above defaults anonymous users to the uid and gid of oracle and users and gid 1000 (dba group).

Does this mean UID and GID must match on new server? Does the user on the new server have to be the one who mounts?

I am receiving "access denied" when trying to mount.

Thanks for the help in advance.

edit: I should also add that the user accessing this mount exists on both systems but likely doesn't have the same password. Is this necessary?

ferrari · 01-26-2018, 04:02 PM

See if this NFS guide is of help. Can you show us explicitly how you are trying to mount the remote share?

What does the following report from the client?

Code:

rpcinfo -p <server_hostname>

ferrari · 01-26-2018, 04:38 PM

The export entry caught my attention

Code:

/path/output servername.ourdomain.com(rw,fsid=0,async,anonuid=2068,anongid=1000)

Are you the administrator for the NFS server? Is 'servername.ourdomain.com' representative of the NFS client that needs access to the share?

toledotown · 01-30-2018, 10:05 AM

Quote:

Originally Posted by ferrari

The export entry caught my attention

Code:

/path/output servername.ourdomain.com(rw,fsid=0,async,anonuid=2068,anongid=1000)

Are you the administrator for the NFS server? Is 'servername.ourdomain.com' representative of the NFS client that needs access to the share?

Yes I am the admin. and that is the server that needs access to the share. The funny thing is I thought this was a NAT issue as my net admin removed NAT rules to this server and the mount works. However, I still get access denied on boot from the fstab entry but can mount using mount -a....

The other issue is that when viewing the mount on the NFS client, it shows all of the permissions as they exist on the NFS server but I would like it to show all of the permissions as a specific user (which is how the old NFS client shows the permissions).

ferrari · 01-30-2018, 09:37 PM

Where's the output from the rpcinfo command as requested?

ferrari · 01-30-2018, 09:47 PM

Quote:

The other issue is that when viewing the mount on the NFS client, it shows all of the permissions as they exist on the NFS server but I would like it to show all of the permissions as a specific user (which is how the old NFS client shows the permissions).

This might help answer that question...
https://whyistheinternetbroken.wordp...s-nfsv3mounts/

toledotown · 02-01-2018, 01:37 PM

Quote:

Originally Posted by ferrari

Where's the output from the rpcinfo command as requested?

Sorry, did not see the notifications for your replies. Thanks so much for your responses. Here is rpcinfo:

Code:

servername:~ # rpcinfo
   program version netid     address                service    owner
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /run/rpcbind.sock      portmapper superuser
    100000    3    local     /run/rpcbind.sock      portmapper superuser
    100005    1    udp       0.0.0.0.78.80          mountd     superuser
    100005    1    tcp       0.0.0.0.78.80          mountd     superuser
    100005    1    udp6      ::.78.80               mountd     superuser
    100005    1    tcp6      ::.78.80               mountd     superuser
    100005    2    udp       0.0.0.0.78.80          mountd     superuser
    100005    2    tcp       0.0.0.0.78.80          mountd     superuser
    100005    2    udp6      ::.78.80               mountd     superuser
    100005    2    tcp6      ::.78.80               mountd     superuser
    100005    3    udp       0.0.0.0.78.80          mountd     superuser
    100005    3    tcp       0.0.0.0.78.80          mountd     superuser
    100005    3    udp6      ::.78.80               mountd     superuser
    100005    3    tcp6      ::.78.80               mountd     superuser
    100024    1    udp       0.0.0.0.224.22         status     492
    100024    1    tcp       0.0.0.0.171.43         status     492
    100024    1    udp6      ::.146.103             status     492
    100024    1    tcp6      ::.244.240             status     492
    100003    3    tcp       0.0.0.0.8.1            nfs        superuser
    100003    4    tcp       0.0.0.0.8.1            nfs        superuser
    100227    3    tcp       0.0.0.0.8.1            nfs_acl    superuser
    100003    3    udp       0.0.0.0.8.1            nfs        superuser
    100003    4    udp       0.0.0.0.8.1            nfs        superuser
    100227    3    udp       0.0.0.0.8.1            nfs_acl    superuser
    100003    3    tcp6      ::.8.1                 nfs        superuser
    100003    4    tcp6      ::.8.1                 nfs        superuser
    100227    3    tcp6      ::.8.1                 nfs_acl    superuser
    100003    3    udp6      ::.8.1                 nfs        superuser
    100003    4    udp6      ::.8.1                 nfs        superuser
    100227    3    udp6      ::.8.1                 nfs_acl    superuser
    100021    1    udp       0.0.0.0.65.145         nlockmgr   superuser
    100021    3    udp       0.0.0.0.65.145         nlockmgr   superuser
    100021    4    udp       0.0.0.0.65.145         nlockmgr   superuser
    100021    1    tcp       0.0.0.0.97.82          nlockmgr   superuser
    100021    3    tcp       0.0.0.0.97.82          nlockmgr   superuser
    100021    4    tcp       0.0.0.0.97.82          nlockmgr   superuser
    100021    1    udp6      ::.66.216              nlockmgr   superuser
    100021    3    udp6      ::.66.216              nlockmgr   superuser
    100021    4    udp6      ::.66.216              nlockmgr   superuser
    100021    1    tcp6      ::.40.125              nlockmgr   superuser
    100021    3    tcp6      ::.40.125              nlockmgr   superuser
    100021    4    tcp6      ::.40.125              nlockmgr   superuser

ferrari · 02-01-2018, 02:19 PM

That output looks as expected. Can you post your fstab entry from the client?

toledotown · 02-01-2018, 02:24 PM

Quote:

Originally Posted by ferrari

That output looks as expected. Can you post your fstab entry from the client?

Here we are. I've tried adding _netdev and timeo to mitigate the boot mount issue though the permissions are a bigger concern ATM.

Code:

#
# /etc/fstab
# Created by anaconda on Mon Oct 30 12:52:40 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=9ef84225-4899-4098-a330-9f7137de58f8 /                       xfs     defaults        0 0
UUID=5898a7cd-b94c-4198-8136-06551dc63131 swap                    swap    defaults        0 0

/dev/sdb1       /home/oracle    xfs     defaults        0 0
/dev/sdc1       /opt            xfs     defaults        0 0
/dev/sdd1       /oraban         xfs     defaults        0 0
oradbs-bdev.ourdomain.com:/ /oraban/BDEV/output nfs4 defaults 0 0
oradbs-bdevlt.ourdomain.com:/ /oraban/BDEVLT/output nfs4 defaults 0 0

toledotown · 02-01-2018, 02:53 PM

I think rpc.idmapd might be the culprit. Here are logs from both the old (working) NFS client (bottom) and new NFS client (broked):

Code:

[root@jobsub-test ~]# cat /var/log/messages | grep rpc.idmap
[root@jobsub-test ~]# cat /var/log/messages | grep nss
Jan 30 10:52:04 jobsub-test avahi-daemon[629]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 13:04:41 jobsub-test avahi-daemon[634]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 13:06:20 jobsub-test dracut: *** Including module: nss-softokn ***
Jan 30 13:28:37 jobsub-test avahi-daemon[609]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 13:28:44 jobsub-test dracut: *** Including module: nss-softokn ***
Jan 30 15:46:25 jobsub-test avahi-daemon[609]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 15:48:04 jobsub-test dracut: *** Including module: nss-softokn ***
Jan 30 15:54:07 jobsub-test avahi-daemon[606]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 16:30:06 jobsub-test avahi-daemon[598]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 16:31:43 jobsub-test dracut: *** Including module: nss-softokn ***
Jan 30 16:40:28 jobsub-test avahi-daemon[596]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jan 30 16:42:05 jobsub-test dracut: *** Including module: nss-softokn ***
[root@jobsub-test ~]#













──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Feb  1 14:42:31 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 14:42:31 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2068' does not map into domain 'ourdomain.com'
Feb  1 14:42:31 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1083' does not map into domain 'ourdomain.com'
Feb  1 14:42:31 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1002' does not map into domain 'ourdomain.com'
Feb  1 14:42:31 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2046' does not map into domain 'ourdomain.com'
Feb  1 14:59:19 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 14:59:19 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2068' does not map into domain 'ourdomain.com'
Feb  1 14:59:19 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1083' does not map into domain 'ourdomain.com'
Feb  1 14:59:19 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1002' does not map into domain 'ourdomain.com'
Feb  1 14:59:19 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2046' does not map into domain 'ourdomain.com'
Feb  1 15:09:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 15:09:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2068' does not map into domain 'ourdomain.com'
Feb  1 15:09:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1083' does not map into domain 'ourdomain.com'
Feb  1 15:09:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1002' does not map into domain 'ourdomain.com'
Feb  1 15:09:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2046' does not map into domain 'ourdomain.com'
Feb  1 15:34:47 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 15:34:48 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2068' does not map into domain 'ourdomain.com'
Feb  1 15:34:48 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1083' does not map into domain 'ourdomain.com'
Feb  1 15:34:48 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1002' does not map into domain 'ourdomain.com'
Feb  1 15:34:48 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2046' does not map into domain 'ourdomain.com'
Feb  1 15:44:36 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 15:45:22 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 15:47:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1000' does not map into domain 'ourdomain.com'
Feb  1 15:47:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2068' does not map into domain 'ourdomain.com'
Feb  1 15:47:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1083' does not map into domain 'ourdomain.com'
Feb  1 15:47:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '1002' does not map into domain 'ourdomain.com'
Feb  1 15:47:44 jobsub-old rpc.idmapd[3672]: nss_getpwnam: name '2046' does not map into domain 'ourdomain.com'
[root@jobsub-old BDEVLT]#

ferrari · 02-01-2018, 04:12 PM

Returning to your earlier statement....

Quote:

However, I still get access denied on boot from the fstab entry but can mount using mount -a....

I wonder if name resolution isn't working when your client system boots and fstab mounting is attempted.

Does running

Code:

mount -a

succeed with the remote share once the system is up? As an experiment, you could try substituting 'oradbs-bdev.ourdomain.com' with the actual IP address and see if that works. If that works at boot, then perhaps adding a manual hostname/IP mapping entry in /etc/hosts will be another option.

toledotown · 02-01-2018, 04:38 PM

Quote:

Originally Posted by ferrari

Returning to your earlier statement....

I wonder if name resolution isn't working when your client system boots and fstab mounting is attempted.

Does running

Code:

mount -a

succeed with the remote share once the system is up? As an experiment, you could try substituting 'oradbs-bdev.ourdomain.com' with the actual IP address and see if that works. If that works at boot, then perhaps adding a manual hostname/IP mapping entry in /etc/hosts will be another option.

Good idea.

Code:

mount -a

works post-boot.

I just changed to test but using IP did not resolve.

ferrari · 02-01-2018, 05:03 PM

Do you actually need the remote file system to be mounted at boot? It might be better to consider using autofs to handle the mounting 'on demand' perhaps.

https://wiki.archlinux.org/index.php...b_with_systemd
https://access.redhat.com/documentat...-config-autofs

toledotown · 02-02-2018, 08:15 AM

Quote:

Originally Posted by ferrari

Do you actually need the remote file system to be mounted at boot? It might be better to consider using autofs to handle the mounting 'on demand' perhaps.

https://wiki.archlinux.org/index.php...b_with_systemd
https://access.redhat.com/documentat...-config-autofs

Thanks, I am looking into those options now. Happy Friday!