NFSv4 mount incorrectly shows all files with ownership as nobody:nobody
 
 SOLUTION VERIFIED - Updated February 18 2016 at 5:48 PM - 
Environment
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • NFSv4 share being exported from an NFSv4 capable NFS server
Issue
  • From the client, the mounted NFSv4 share has ownership for all files and directories listed as nobody:nobody instead of the actual user that owns them on the NFSv4 server, or who created the new file and directory.
  • Seeing nobody:nobody permissions on nfsv4 shares on the nfs client. Also seeing the following error in /var/log/messages:
nss_getpwnam: name 'root@example.com' does not map into domain 'localdomain' 
Resolution
  • Modify the /etc/idmapd.conf with the proper domain (FQDN), on both the client and server. In this example, the proper domain is "example.com" so the "Domain =" directive within /etc/idmapd.conf should be modified to read:
Domain = example.com
  • Note:
  • If using a NetApp Filer, the NFS.V4.ID.DOMAIN parameter must be set to match the "Domain =" parameter on the client.
  • If using a Solaris machine as the NFS server, the NFSMAPID_DOMAIN value in /etc/default/nfs must match the RHEL clients Domain.
  • To put the changes into effect restart the rpcidmapd service and remount the NFSv4 filesystem:
# service rpcidmapd restart
# mount -o remount /nfs/mnt/point
Note: It is only necessary to restart rpc.idmapd service on systems where rpc.idmapd is actually performing the id mapping. On RHEL 6.3 and newer NFS CLIENTS, the maps are stored in the kernel keyring and the id mapping itself is performed by the /sbin/nfsidmap program. On older NFS CLIENTS (RHEL 6.2 and older) as well as on all NFS SERVERS running RHEL, the id mapping is performed by rpc.idmapd.
  • Ensure the client and server have matching UID's and GID's. It is a common misconception that the UID's and GID's can differ when using NFSv4. The sole purpose of id mapping is to map an id to a name and vice-versa. ID mapping is not intended as some sort of replacement for managing id's.
  • On Red Hat Enterprise Linux 6, if the above settings have been applied and UID/GID's are matched on server and client and users are still being mapped to nobody:nobody than a clearing of the idmapd cache may be required:
 # nfsidmap -c 
Note: The above command is only necessary on systems that use the keyring-based id mapper, i.e. NFS CLIENTS running RHEL 6.3 and higher. On RHEL 6.2 and older NFS CLIENTS as well as all NFS SERVERS running RHEL, the cache should be cleared out when rpc.idmapd is restarted.
  • Another check, see if the passwd:, shadow: and group: settings are set correctly in the /etc/nsswitch.conf file on both Server and Client.
Disabling idmapping
  • By default, RHEL6.3 and newer NFS clients and servers disable idmapping when utilizing the AUTH_SYS/UNIX authentication flavor by enabling the following booleans:
NFS client 
 # echo 'Y' > /sys/module/nfs/parameters/nfs4_disable_idmapping 
 
NFS server
 # echo 'Y' > /sys/module/nfsd/parameters/nfs4_disable_idmapping 
  • If using a NetApp filer, the options nfs.v4.id.allow_numerics on command can be used to disable idmapping. More information can be foundhere.
  • With this boolean enabled, NFS clients will instead send numeric UID/GID numbers in outgoing attribute calls and NFS servers will send numeric UID/GID numbers in outgoing attribute replies.
  • If NFS clients sending numeric UID/GID values in a SETATTR call receive an NFS4ERR_BADOWNER reply from the NFS server clients will re-enable idmapping and send user@domain strings for that specific mount from that point forward.
Note: This option can only be used with AUTH_SYS/UNIX authentication flavors, if you wish to use something like Kerberos, idmapping must be used.
Root Cause
  • NFSv4 utilizes ID mapping to ensure permissions are set properly on exported shares, if the domains of the client and server do not match then the permissions are mapped to nobody:nobody.
Diagnostic Steps
  • Debugging/verbosity can be enabled by editing /etc/sysconfig/nfs:
RPCIDMAPDARGS="-vvv"
  • The following output is shown in /var/log/messages when the mount has been completed and the system shows nobody:nobody as user and group permissions on directories and files:
Jun  3 20:22:08 node1 rpc.idmapd[1874]: nss_getpwnam: name 'root@example.com' does not map into domain 'localdomain' 
Jun  3 20:25:44 node1 rpc.idmapd[1874]: nss_getpwnam: name 'root@example.com' does not map into domain 'localdomain'
  • Collect a tcpdump of the mount attempt:
# tcpdump -s0 -i {INTERFACE} host {NFS.SERVER.IP} -w /tmp/{casenumber}-$(hostname)-$(date +"%Y-%m-%d-%H-%M-%S").pcap & 
  • If a TCP packet capture has been obtained, check for a nfs.nfsstat4 packet that has returned a non-zero response equivalent to 10039 (NFSV4ERR_BADOWNER).
  • From the NFSv4 RFC:
  NFS4ERR_BADOWNER        = 10039,/* owner translation bad   */
 
  NFS4ERR_BADOWNER      An owner, owner_group, or ACL attribute value
                        can not be translated to local representation.
  • Product(s)
  • Component
  • Category
  • Tags
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

NFSv4 mount incorrectly shows all files with ownership as nobody:nobody的更多相关文章

  1. 10 Useful du (Disk Usage) Commands to Find Disk Usage of Files and Directories

    The Linux “du” (Disk Usage) is a standard Unix/Linux command, used to check the information of disk ...

  2. 在NAS设备上用NFS服务为RAC数据库和集群件存储oracle文件时的mount选项

    今天在家折腾自己的小实验室,把自己NAS上的一个目录用NFS挂载到一套11g RAC的实验环境中. 当我在备份数据库到NAS上时,发现一个奇怪的问题,同样的目录下,默认backup 备份集的情况,备份 ...

  3. DAY1 linux 50条命令

    1. tar压缩,解压缩 tar -cvf *** (压缩) tar -xvf ***  (解压缩) [root@bogon ~]# tar cvf test.tar test/ test/ test ...

  4. ocp 1Z0-042 1-60题解析

    1. Because of a power outage,instance failure has occurred. From what point in the redo log does rec ...

  5. linux 命令中英文对照,收集

    linux 命令中英文对照,收集   linux 命令英文全文 Is Linux CLI case-sensitive? The answer is, yes. If you try to run L ...

  6. 50个最常用的UNIX/Linux命令

    转自http://get.jobdeer.com/493.get 1. tar command examples Create a new tar archive. $ tar cvf archive ...

  7. Sharing The Application Tier File System in Oracle E-Business Suite Release 12.2

    The most current version of this document can be obtained in My Oracle Support Knowledge Document 13 ...

  8. Python库 - Albumentations 图片数据增强库

    Python图像处理库 - Albumentations,可用于深度学习中网络训练时的图片数据增强. Albumentations 图像数据增强库特点: 基于高度优化的 OpenCV 库实现图像快速数 ...

  9. openshift上使用devicemapper

    环境:openshift v3.6.173.0.5 openshift上devicemapper与官方文档中的描述略有不同,在官方文档的描述中,容器使用的lvm文件系统挂载在/var/lib/devi ...

随机推荐

  1. camera摄像原理之二:色彩空间【转】

    转自:http://blog.csdn.net/ghostyu/article/details/7912854 对于sensor 来说,我们经常接触到的色彩空间的概念,主要是RGB , YUV这两种( ...

  2. Spring JdbcTemplate框架搭建及其增删改查使用指南

    Spring JdbcTemplate框架搭建及其增删改查使用指南 前言: 本文指在介绍spring框架中的JdbcTemplate类的使用方法,涉及基本的Spring反转控制的使用方法和JDBC的基 ...

  3. String、ANSIString、PChar及TBytes之间的转换 BytesOf move stringof

    一.string转为ansistring 1.直接赋值 (有警告)2.ansistring()类型强制转换.(无警告) 二.ansistring 转为string 1.直接赋值 (有警告)2.stri ...

  4. Selenium2+python自动化39-关于面试的题【转载】

    前言 最近看到群里有小伙伴贴出一组面试题,最近又是跳槽黄金季节,小编忍不住抽出一点时间总结了下, 回答不妥的地方欢迎各位高手拍砖指点.   一.selenium中如何判断元素是否存在? 首先selen ...

  5. poj 1654(利用叉积求面积)

    Area Time Limit: 1000MS   Memory Limit: 10000K Total Submissions: 17937   Accepted: 4957 Description ...

  6. redis使用管道pipeline提升批量操作性能(php演示)

    Redis是一个TCP服务器,支持请求/响应协议. 在Redis中,请求通过以下步骤完成: 客户端向服务器发送查询,并从套接字读取,通常以阻塞的方式,用于服务器响应. 服务器处理命令并将响应发送回客户 ...

  7. Aras增加新用户

    Aras中新增用户,这里特别提醒,用户密码下面的可以登陆必须勾选,如不勾选刚出现不能登陆的情况. 增加用户后,将用户加入至与原同事一样的Identities(例如Sales/All Employees ...

  8. asp.net数据类型--泛型

    asp.net有很多的数据类型,同时c#等均是强数据类型,在使用的过程,存在因数据类型不一致,在编译时通过,在使用过程中出错的情况,因此从2.0起,增加泛型这种类型.这种类型,在定义时不指定类型,而在 ...

  9. python3爬虫爬取煎蛋网妹纸图片(下篇)2018.6.25有效

    分析完了真实图片链接地址,下面要做的就是写代码去实现了.想直接看源代码的可以点击这里 大致思路是:获取一个页面的的html---->使用正则表达式提取出图片hash值并进行base64解码--- ...

  10. CentOS 7安装tensorflow 1.6

    pip3 install tensorflow-gpu==1.6 1.6 依赖于cuda 9.0 cuDNN 7,并且前提需要下载和安装nvidia驱动. 安装驱动 nvidia 驱动地址: http ...