No Gravatar

Recently I have been working to setting up a NFS server and NFS clients using NFS version 4.
I’ve come across a number of caveats and tweaks required to get NFS v4 working properly.

With NFS v3 you simply setup your server, create an export and mount it on the client. You also need the same uids on both client and server to be able to read and write files.

NFS v4 adds extra security which is good. I highly recommend setting this up properly rather than disabling NFS v4 security or worse, forcing clients to mount NFS using the version 3 protocol.

NFS version 4 uses the idmap daemon, without digging too deep into the technical side (of which I don’t completely understand) it is in charge of checking the NFS domain and checking UID security. The ipmap daemon by default uses the DNS domain on your client and server for security. Therefore your DNS domain needs to be identical on all clients and servers. Else you get your permissions forced to nobody.nobody.

However for my environment, the Server and Client DNS domains weren’t the same.

You can manually set this in your  /etc/idmapd.conf with the line
Domain = local.domain.edu

Make sure this is the same on your server and client machines. Don’t forget to restart rpcidmapd after changing this.

In my environment I use LDAP to synchronize user accounts, so I use PAM ldap authentication and NSS. As a result idmapd uses the user accounts in LDAP via nsswitch to check permissions.
Basically as long as the getent passwd command returns your LDAP accounts, idmapd will pick it up.

I found that I also needed to restart nfslock after making the change to idmapd.

To summarize:
1.) Make sure the DNS domain on clients and server match (can force this in /etc/idmapd.conf)
2.) Make sure your account UID matches on both the NFS server and client.

 

« »