[SOLVED] CentOs v7 NFS4 client and id mapping with CentOs v6 NFS4 server

I have a CentOs v6 NFS4 server (host=server6) and CentOs v6 NFS4 client (host=client6) which have been working well together for years. For various reasons, I want to stay with NFS4.

The server6 and client6 have the same idmapd.conf

[General]
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
Method = nsswitch

On the server6 host these nfs services are running

rpc.statd
rpc.idmapd
rpc.rquotad

When I list a directory from host client6 it properly shows the ID as mapped. For example:

[root@client6 ~]# ls -ld /var/www/html/ceramext/
drwxr-xr-x. 17 ceramext root 4096 Mar 24 2017 /var/www/html/ceramext/

Where “ceramext” is the owner of that directory.

Now I’ve added a new CentOs v7 client into the mix (host=client7). Same idea for idmapd.conf:

[General]
Domain = mydomain.com
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
Method = nsswitch

All of the mount points from server6 mount fine on the new client7 host, but the ID is not mapped properly. It shows as nfsnobody instead of user ceramext:

[root@client7 ~]# ls -ld /var/www/html/ceramext/
drwxr-xr-x 17 nfsnobody root 4096 Mar 24 2017 /var/www/html/ceramext/

I’ve verified that all three hosts have the same UID:GID of “507:100” for user ceramext in their respective /etc/passwd file:

# grep ceramext /etc/passwd
ceramext:x:507:100::/web/ceramext:/bin/bash

And the /etc/shadow is synched up as well.

I did find a thread where somebody suggested changing the Domain in the idmapd.conf to “localdomain” which I tried on all three hosts, but it didn’t make any difference.

Both client6 and client7 have the same mount point to server7 in /etc/fstab:

# grep html /etc/fstab
server7:/html /var/www/html nfs4 rw,hard,intr,proto=tcp,port=2049,auto,exec 0 0

Note that systems have all been restarted and no change on the new CentOs client7 host.

I don’t think it should matter, but client6 and server6 are physical and client7 is virtual (proxmox v6 privileged container).

I’m at a loss as to why the NFS4 ID is not mapping correctly on the new CentOs 7 client. What do I check next?

thanks— Dean

I can't offer direct advice here, but just in case the first (and only) answer in this thread is of value....

https://serverfault.com/questions/25...wner-and-group

I checked the link from ferrari and sure enough, the UID comes across on the CentOs 7 host=client7 as 65534 (nfsnobody). I'll dig deeper. One question on this, from what I've read I don't really need rpc.idmapd running on a NFS4 client, is that correct?
I've tried enabled/started and stopped/disabled idmapd, but it didn't make any difference so I'm assuming idmapd doesn't need to be running on a NFS4 client.
thanks ferrari -- Dean

Elsewhere I see discussion of the use of nfsidmap in CentOs 7. So following the person's discussion. I checked the status of id_resolver and it is running on the new CentOs 7 client.

[root@client7 ~]# dmesg | grep id_resolver
[ 10.231881] NFS: Registering the id_resolver key type
[ 10.231889] Key type id_resolver registered

Next I went ahead and cleared the cached values on the client7 with

nfsidmap -v -c
nfsidmap: '.id_resolver' cleared

Then listed the directory and as before with -n and it still incorrectly showed 65534 (nfsnobody).

[root@client7 ~]# ls -ldn /var/www/html/ceramext
drwxr-xr-x 17 65534 0 4096 Mar 24 2017 /var/www/html/ceramext

And then I checked the id_resolv value in the keys

[root@client7 ~]# grep id_resolv /proc/keys
0968348b I--Q--- 1 38s 3b010000 0 0 id_resolv gid:root@mydomain.com: 2
12715fc0 I--Q--- 1 38s 3b010000 0 0 id_resolv gid:nfsnobody@mydomain.com: 11
133c2cfd I------ 1 perm 1f030000 0 0 keyring .id_resolver: 5
1e11fb3a I--Q--- 1 38s 3b010000 0 0 id_resolv uid:ceramext@mydomain.com: 6
36e1be51 I--Q--- 1 38s 3b010000 0 0 id_resolv uid:nfsnobody@mydomain.com: 6

If I'm reading this correctly, then ceramext IS actually being resolved, but still being resolved to 65534 instead of the proper UID=507

I repeated the above on the CentOs 6 client. And this client does properly show the UID=507 for user ceramext.

[root@client6 ~]# dmesg | grep id_resolver
NFS: Registering the id_resolver key type

[root@client6 ~]# nfsidmap -v -c
nfsidmap: clearing '3d53a936 I--Q--- 1 perm 3f3f0000 0 0 keyring .id_resolver_child_1: 14/16'
nfsidmap: clearing '14289998 I------ 1 perm 1f030000 0 0 keyring .id_resolver: 1/4'

[root@client6 ~]# ls -ldn /var/www/html/ceramext
drwxr-xr-x. 17 507 0 4096 Mar 24 2017 /var/www/html/ceramext

[root@client6 ~]# grep id_resolv /proc/keys
0034e78c I--Q--- 1 9m 3f050000 0 0 id_resolv uid:nfsnobody@mydomain.com: 6
0c235a26 I--Q--- 1 9m 3f050000 0 0 id_resolv gid:nfsnobody@mydomain.com: 6
0c2da3eb I--Q--- 1 perm 3f3f0000 0 0 keyring .id_resolver_child_1: 8/8
0f1c128f I--Q--- 1 9m 3f050000 0 0 id_resolv uid:ceramext@mydomain.com: 4
14289998 I------ 1 perm 1f030000 0 0 keyring .id_resolver: 1/4
26a3162d I--Q--- 1 9m 3f050000 0 0 id_resolv gid:root@mydomain.com: 2

So, it seems like my client7 is attempting to map the ID, but its still not making the connection that it should be UID=507 instead of 65534.

Any ideas where to look next?

I see what the problem is. I'm using proxmox 6 as my virtual infrastructure host (PVE). I must have all of the users mapped into the /etc/passwd of the PVE host in order for the ID mapping to be passed properly to the container (client7). This wasn't necessary with proxmox version 3 (my current version) but is necessary apparently with the newer proxmox 6 PVE.

Thanks for the update. I'm sorry I wasn't able to assist further. This may well help others who come searching in the future.