Despite idmapd running, usernames/IDs don’t get mapped properly. Looking for a workaround.
I’m trying to get a new CentOS 7.1 workstation running, and having some problems with NFS filesystems. The server is a fully patched CentOS 6 server.
On the NFS filesystem, there are two subdirectories owned by a regular user (joe). (There are actually more and by multiple users, but I’ll just show the two.) That user exists on both the NFS server and this CentOS 7 NFS client. However, the user on the client machine is unable to perform various operations. (The operations work when logged into the server.)
$ whoami joe
$ cd /nfs
$ ls -l drwx——. 6 joe joe 4096 Apr 23 11:20 one drwxr-xr-x. 4 joe joe 4096 Dec 14 2011 two
$ cd one one: Permission denied.
$ cd two
$ ls subdir1 subdir2
$ touch testfile touch: cannot touch testfile: Permission denied
mount(1) shows that the filesystem is mounted rw. The server has it exported rw to the entire subnet. Other machines (CentOS 5) mount the same filesystems without a problem.
Looks a lot like an idmapd issue, right?
On the server:
# id joe uidP1(joe) gidP1(joe) groupsP1(joe)
Back on the client:
$ ps auxww | grep idmap | grep -v grep
$ id joe uid00(joe) gid00(joe) groups00(joe)
$ cd /nfs
$ ls -n drwx——. 6 1000 1000 4096 Apr 23 11:20 one drwxr-xr-x. 4 1000 1000 4096 Dec 14 2011 two
So it looks like even though the name/UID mapping is correct even though the idmapd daemon isn’t running on the client. (It looks like CentOS7
only starts idmapd when it’s running an NFS *server*.)
# systemctl list-units | grep nfs nfs.mount loaded active mounted /nfs proc-fs-nfsd.mount loaded active mounted NFSD configuration filesystem var-lib-nfs-rpc_pipefs.mount loaded active mounted RPC Pipe File System nfs-config.service loaded active exited Preprocess NFS
configuration nfs-client.target loaded active active NFS client services
The behavior was tested again with SELinux in permissive mode; no change.
Splunking a bit more shows some similar behavior for other distros:
Yep, this is a situation where LDAP and Kerberos aren’t in play. And the CentOS 5, CentOS 6, and other UNIXen boxes are using consistent UID/GID mappings. However, CentOS7 (well, RHEL7) changed the minimum UID/GID for regular accounts, so when the account was created on the latter, the UID is out of sync. So much for idmapd (without the fixes involved in the above URLs).
Has anyone else run into this and have a solution other than forcing UIDs to match?