4

I have a folder which is owned by ftp:users. I wanted to export this folder and have all requests mapped to the ftp user, which has id 107. In /etc/exportsI have the following:

/media/other    10.1.1.10(rw,sync,all_squash,no_subtree_check,anonuid=107)

This works as expected. On the client side I want to map these anonymous requests to a different user, so in /etc/idmapd.conf I have this:

Nobody-User = nfsanon
Nobody-Group = nfsanon

But when mounting over NFSv4, everything is owned by nobody:users. It correctly mapped the group (which also exists on the client) but the ftp user, which does not exist on the client, was mapped to nobody instead of the Nobody-User in idmapd.conf.

To try to understand why this is happening, I turned up the verbosity and dove into the client logs. One mount attempt produces the following:

nfsidmap[8610]: key: 0x28bf0a94 type: uid value: root@dom.ain timeout 600
nfsidmap[8610]: nfs4_name_to_uid: calling nsswitch->name_to_uid
nfsidmap[8610]: nss_getpwnam: name 'root@dom.ain' domain 'dom.ain': resulting localname 'root'
nfsidmap[8610]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
nfsidmap[8610]: nfs4_name_to_uid: final return value is 0
nfsidmap[8612]: key: 0xfe99b5c type: gid value: root@dom.ain timeout 600
nfsidmap[8612]: nfs4_name_to_gid: calling nsswitch->name_to_gid
nfsidmap[8612]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
nfsidmap[8612]: nfs4_name_to_gid: final return value is 0
nfsidmap[8615]: key: 0x18a11cb type: uid value: ftp@dom.ain timeout 600
nfsidmap[8615]: nfs4_name_to_uid: calling nsswitch->name_to_uid
nfsidmap[8615]: nss_getpwnam: name 'ftp@dom.ain' domain 'dom.ain': resulting localname 'ftp'
nfsidmap[8615]: nss_getpwnam: name 'ftp' not found in domain 'dom.ain'
nfsidmap[8615]: nfs4_name_to_uid: nsswitch->name_to_uid returned -2
nfsidmap[8615]: nfs4_name_to_uid: final return value is -2
nfsidmap[8615]: nfs4_name_to_uid: calling nsswitch->name_to_uid
nfsidmap[8615]: nss_getpwnam: name 'nobody@dom.ain' domain 'dom.ain': resulting localname 'nobody'
nfsidmap[8615]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
nfsidmap[8615]: nfs4_name_to_uid: final return value is 0
nfsidmap[8617]: key: 0x3ab07a1f type: gid value: users@dom.ain timeout 600
nfsidmap[8617]: nfs4_name_to_gid: calling nsswitch->name_to_gid
nfsidmap[8617]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
nfsidmap[8617]: nfs4_name_to_gid: final return value is 0

So it appears the client idmapd tries to map the ftp user, which fails.

nss_getpwnam: name 'ftp@dom.ain' domain 'dom.ain': resulting localname 'ftp'
nss_getpwnam: name 'ftp' not found in domain 'dom.ain'
nfs4_name_to_uid: nsswitch->name_to_uid returned -2

Then it actually tries to map nobody instead of using the Nobody-User. Since the nobody user exists on the client, that succeeds.

nss_getpwnam: name 'nobody@dom.ain' domain 'dom.ain': resulting localname 'nobody'
nfs4_name_to_uid: nsswitch->name_to_uid returned 0

I just can't figure out why it's trying to map nobody. Could this be a bug triggered by using anonuid in the export?

For the sake of completeness, here are the server logs

rpc.idmapd[4726]: nfsdcb: authbuf=10.1.1.0/24,10.1.1.0/25,10.1.1.10 authtype=user
rpc.idmapd[4726]: nfs4_uid_to_name: calling nsswitch->uid_to_name
rpc.idmapd[4726]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
rpc.idmapd[4726]: nfs4_uid_to_name: final return value is 0
rpc.idmapd[4726]: Server : (user) id "0" -> name "root@dom.ain"
rpc.idmapd[4726]: nfsdcb: authbuf=10.1.1.0/24,10.1.1.0/25,10.1.1.10 authtype=group
rpc.idmapd[4726]: nfs4_gid_to_name: calling nsswitch->gid_to_name
rpc.idmapd[4726]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
rpc.idmapd[4726]: nfs4_gid_to_name: final return value is 0
rpc.idmapd[4726]: Server : (group) id "0" -> name "root@dom.ain"
rpc.idmapd[4726]: nfsdcb: authbuf=10.1.1.0/24,10.1.1.0/25,10.1.1.10 authtype=user
rpc.idmapd[4726]: nfs4_uid_to_name: calling nsswitch->uid_to_name
rpc.idmapd[4726]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
rpc.idmapd[4726]: nfs4_uid_to_name: final return value is 0
rpc.idmapd[4726]: Server : (user) id "107" -> name "ftp@dom.ain"
rpc.idmapd[4726]: nfsdcb: authbuf=10.1.1.0/24,10.1.1.0/25,10.1.1.10 authtype=group
rpc.idmapd[4726]: nfs4_gid_to_name: calling nsswitch->gid_to_name
rpc.idmapd[4726]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
rpc.idmapd[4726]: nfs4_gid_to_name: final return value is 0
rpc.idmapd[4726]: Server : (group) id "100" -> name "users@dom.ain"

PS: Before anyone suggests it, I do not wish to switch back to NFSv3 to "solve" my problem.

Rapsey
  • 305
  • 4
  • 11
  • The problem is that your nfs server can't map uid 107 to a valid name and already sends 'nobody'. – kofemann Jun 27 '14 at 05:52
  • So the `name 'ftp' not found` log message I get on the **client** comes from the idmapd running on the **server**? Doesn't the message itself prove that the server managed to map uid 107 to user 'ftp' just fine? I thought it was a problem with the idmapd running on the client. It's very hard to debug though, as the only way I have found to clear the idmap cache is rebooting the client OS entirely. – Rapsey Jun 27 '14 at 17:42
  • Do you have user ftp on the client host? – kofemann Jul 07 '14 at 10:00

0 Answers0