FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-18-2012, 03:34 AM
Alexander Samad
 
Default Issues with nfs v4 and security

Hi
I am*having*some issue with nfs-kernel.
I have 2 servers both have NFS exports.
when i mount 1 from server B to server A, the users come up as nobody and nogroup.

when i mount from A to B I get the proper uid/gids

// this is on server B
nfs:/home/alex * * * * * * * */home/alex * * * * * * *nfs * * _netdev,bg,rw,auto,noatime,nouser,async,nodev,suid ,proto=tcp,vers=4 * * 0 * * * 0


on server Anas:/exports/video/cam */exports/video/cam * *nfs * * _netdev,bg,rw,noauto,noatime,nouser,async,nodev,no suid,proto=tcp,vers=4 * 0 * 0



idmap*
[General]
Verbosity = 0Pipefs-Directory = /var/lib/nfs/rpc_pipefs# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomainDomain = abc.com.aulocaldoman = hme1.bc.com.au
[Mapping]

Nobody-User = nobodyNobody-Group = nogroup


not sure what else I am supposed to be looking for !!!and for some reason v3 doesn't work*

Alex
 
Old 03-18-2012, 06:20 AM
Tom H
 
Default Issues with nfs v4 and security

On Sun, Mar 18, 2012 at 12:34 AM, Alexander Samad <alex@samad.com.au> wrote:
>
> I am*having*some issue with nfs-kernel.
>
> I have 2 servers both have NFS exports.
>
> when i mount 1 from server B to server A, the users come up as nobody and
> nogroup.
>
> when i mount from A to B I get the proper uid/gids
>
> // this is on server B
>
> nfs:/home/alex * * * * * * * */home/alex * * * * * * *nfs
> _netdev,bg,rw,auto,noatime,nouser,async,nodev,suid ,proto=tcp,vers=4 * * 0
> * * 0
>
> on server A
> nas:/exports/video/cam */exports/video/cam * *nfs
> _netdev,bg,rw,noauto,noatime,nouser,async,nodev,no suid,proto=tcp,vers=4 * 0
> * 0
>
> idmap
>
> [General]
>
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> # set your own domain here, if id differs from FQDN minus hostname
> # Domain = localdomain
> Domain = abc.com.au
> localdoman = hme1.bc.com.au
>
> [Mapping]
>
> Nobody-User = nobody
> Nobody-Group = nogroup

Is "Domain" in "/etc/idmapd.conf" the same on all three boxes?

Are the users' UIDs the same on all three boxes?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOdo=SzxP-TN1X_tML7yq7KCXETW8dfZFJDsw4r3uuPyAxPy9A@mail.gmai l.com">http://lists.debian.org/CAOdo=SzxP-TN1X_tML7yq7KCXETW8dfZFJDsw4r3uuPyAxPy9A@mail.gmai l.com
 
Old 03-18-2012, 10:13 PM
Alexander Samad
 
Default Issues with nfs v4 and security

Hi
only 2 boxs, both boxes acting as clients and servers. *Yes the same uid/gid, they share a ldap service (they are both multi masters) and the id's are in sync on both boxs

and the idmap.conf is the same on both boxs
thanks

On Sun, Mar 18, 2012 at 6:20 PM, Tom H <tomh0665@gmail.com> wrote:

On Sun, Mar 18, 2012 at 12:34 AM, Alexander Samad <alex@samad.com.au> wrote:


>

> I am*having*some issue with nfs-kernel.

>

> I have 2 servers both have NFS exports.

>

> when i mount 1 from server B to server A, the users come up as nobody and

> nogroup.

>

> when i mount from A to B I get the proper uid/gids

>

> // this is on server B

>

> nfs:/home/alex * * * * * * * */home/alex * * * * * * *nfs

> _netdev,bg,rw,auto,noatime,nouser,async,nodev,suid ,proto=tcp,vers=4 * * 0

> * * 0

>

> on server A

> nas:/exports/video/cam */exports/video/cam * *nfs

> _netdev,bg,rw,noauto,noatime,nouser,async,nodev,no suid,proto=tcp,vers=4 * 0

> * 0

>

> idmap

>

> [General]

>

> Verbosity = 0

> Pipefs-Directory = /var/lib/nfs/rpc_pipefs

> # set your own domain here, if id differs from FQDN minus hostname

> # Domain = localdomain

> Domain = abc.com.au

> localdoman = hme1.bc.com.au

>

> [Mapping]

>

> Nobody-User = nobody

> Nobody-Group = nogroup



Is "Domain" in "/etc/idmapd.conf" the same on all three boxes?



Are the users' UIDs the same on all three boxes?





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/CAOdoSzxP-TN1X_tML7yq7KCXETW8dfZFJDsw4r3uuPyAxPy9A@mail.gmai l.com
 
Old 03-19-2012, 11:27 AM
Tom H
 
Default Issues with nfs v4 and security

On Sun, Mar 18, 2012 at 7:13 PM, Alexander Samad <alex@samad.com.au> wrote:
> On Sun, Mar 18, 2012 at 6:20 PM, Tom H <tomh0665@gmail.com> wrote:
>> On Sun, Mar 18, 2012 at 12:34 AM, Alexander Samad <alex@samad.com.au>
>> wrote:
>>>
>>> I am having some issue with nfs-kernel.
>>>
>>> I have 2 servers both have NFS exports.
>>>
>>> when i mount 1 from server B to server A, the users come up as nobody
>>> and nogroup.
>>>
>>> when i mount from A to B I get the proper uid/gids
>>>
>>> on server B
>>> nfs:/home/alex /home/alex nfs
>>> _netdev,bg,rw,auto,noatime,nouser,async,nodev,suid ,proto=tcp,vers=4
>>> 0 0
>>>
>>> on server A
>>> nas:/exports/video/cam /exports/video/cam nfs
>>> _netdev,bg,rw,noauto,noatime,nouser,async,nodev,no suid,proto=tcp,vers=4
>>> 0 0
>>>
>>> idmap
>>>
>>> [General]
>>> Verbosity = 0
>>> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
>>> # set your own domain here, if id differs from FQDN minus hostname
>>> # Domain = localdomain
>>> Domain = abc.com.au
>>> localdoman = hme1.bc.com.au
>>>
>>> [Mapping]
>>> Nobody-User = nobody
>>> Nobody-Group = nogroup
>>
>> Is "Domain" in "/etc/idmapd.conf" the same on all three boxes?
>>
>> Are the users' UIDs the same on all three boxes?
>
> only 2 boxs, both boxes acting as clients and servers. Yes the same
> uid/gid, they share a ldap service (they are both multi masters) and the
> id's are in sync on both boxs
>
> and the idmap.conf is the same on both boxs

Please don't top post.

Sorry. I didn't read Your initial message carefully. I saw that nfsv4
was failing and posted the first two checks that I'd do. I don't know
why I thought there were three boxes...

Given that you're using LDAP, what's in the "/etc/exports" on both boxes?

Are "rpc.idmapd" and "rpc.gssd" running on the "bad" client?

Do "/var/log/messages" and a verbose mount give you any information on
the failure?

(What's the "nas:/..." mount? Shouldn't it be "nfs:/..."?)

(What's the "localdoman" variable in :/etc/idmapd.conf" for?)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOdo=Sw+CTC8BBhKCb+ZPwoPw=Z9POX459OhVE4hSB0NjvEC= g@mail.gmail.com">http://lists.debian.org/CAOdo=Sw+CTC8BBhKCb+ZPwoPw=Z9POX459OhVE4hSB0NjvEC= g@mail.gmail.com
 
Old 03-20-2012, 01:41 AM
Alexander Samad
 
Default Issues with nfs v4 and security

[snip]*
Please don't top post.


Sorry. I didn't read Your initial message carefully. I saw that nfsv4

was failing and posted the first two checks that I'd do. I don't know

why I thought there were three boxes...



Given that you're using LDAP, what's in the "/etc/exports" on both boxes?
this is on server A*/home/alex * * * * * * * * *-no_root_squash,insecure,wdelay,no_subtree_check,as ync,mp=/home/alex 192.168.11.14/32(rw) laptop.wlan1.hme1.samad.com.au(rw) laptop.lan1.hme1.samad.com.au(rw) alex-mini.lan1.hme1.samad.com.au(rw) alex-mini.wlan1.hme1.samad.com.au(rw) *nas.lan1.hme1.samad.com.au(rw)

server B/exports/video/cam * * * * * * *-no_root_squash,insecure,wdelay,no_subtree_check,as ync,crossmnt,mp=/exports/video 192.168.8.0/22(rw) mmac(rw,root_squash,anonuid=1025,anongid=1029)




Are "rpc.idmapd" and "rpc.gssd" running on the "bad" client?

*only rpc.idmapd is running on the bad and the good one



Do "/var/log/messages" and a verbose mount give you any information on

the failure?


so i tried a mount -v ? is that what you meant by verbose, the only thing I got was*Mar 20 13:37:27 max rpc.idmapd[19081]: nss_getpwnam: name 'nobody' does not map into domain 'samad.com.au'
*got me thinking my nsswitch and some other libraries are not update on server B this is the one serving up the bad mount*

(What's the "nas:/..." mount? Shouldn't it be "nfs:/..."?)
nfs is <server>:<path>*
so I have a server nfs and a server nas




(What's the "localdoman" variable in :/etc/idmapd.conf" for?)
don't know !*





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/CAOdo=Sw+CTC8BBhKCb+ZPwoPw=Z9POX459OhVE4hSB0NjvEC= g@mail.gmail.com
 
Old 03-22-2012, 12:19 PM
Tom H
 
Default Issues with nfs v4 and security

On Mon, Mar 19, 2012 at 10:41 PM, Alexander Samad <alex@samad.com.au> wrote:


> this is on server A
> */home/alex
> *-no_root_squash,insecure,wdelay,no_subtree_check,as ync,mp=/home/alex
> 192.168.11.14/32(rw) laptop.wlan1.hme1.samad.com.au(rw)
> laptop.lan1.hme1.samad.com.au(rw) alex-mini.lan1.hme1.samad.com.au(rw)
> alex-mini.wlan1.hme1.samad.com.au(rw) *nas.lan1.hme1.samad.com.au(rw)
>
> server B
> /exports/video/cam
> *-no_root_squash,insecure,wdelay,no_subtree_check,as ync,crossmnt,mp=/exports/video
> 192.168.8.0/22(rw) mmac(rw,root_squash,anonuid=1025,anongid=1029)

I've lost track whether it's when you're mounting the serverA or
serverB export that you're having the nobody problem but do you have
the same problem when mounting that export from another box? Do you
have the problem when mounting via hostname and not via ip address?

Are all your "Domain" values the same in all your boxes'
"/etc/idmapd.conf"? Do they all have "Domain = abc.com.au" like the
one that you posted earlier?


>> Do "/var/log/messages" and a verbose mount give you any information on
>> the failure?
>>
> so i tried a mount -v ? is that what you meant by verbose, the only thing I
> got was
> Mar 20 13:37:27 max rpc.idmapd[19081]: nss_getpwnam: name 'nobody' does not
> map into domain 'samad.com.au'

You can use "-vvv" but it's pretty clear that you have an idmapd problem.


> got me thinking my nsswitch and some other libraries are not update on
> server B this is the one serving up the bad mount

Is "/etc/nsswitch.conf" the same on your two boxes? Does "getent
hosts" list all of your hosts and their ip addresses? Can you query
LDAP for hostnames on all your boxes?


>> (What's the "localdoman" variable in :/etc/idmapd.conf" for?)
>
> don't know !

I've never seen "localdomain/localdoman" as an "/etc/idmapd.conf" stanza.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOdo=SyKtP+L0wSBYszKQN15939y9r1V_aCLRgoDwkgybhqAT Q@mail.gmail.com">http://lists.debian.org/CAOdo=SyKtP+L0wSBYszKQN15939y9r1V_aCLRgoDwkgybhqAT Q@mail.gmail.com
 
Old 03-23-2012, 05:13 PM
Alexander Samad
 
Default Issues with nfs v4 and security

On Fri, Mar 23, 2012 at 12:19 AM, Tom H <tomh0665@gmail.com> wrote:

On Mon, Mar 19, 2012 at 10:41 PM, Alexander Samad <alex@samad.com.au> wrote:


[snip]*I've lost track whether it's when you're mounting the serverA or

serverB export that you're having the nobody problem but do you have
Okay maybe we leave that, i was trying to show I had the same setup on both side, but one was working and 1 wasn't
*
the same problem when mounting that export from another box? Do you

have the problem when mounting via hostname and not via ip address?
i usually mount via hostname*



Are all your "Domain" values the same in all your boxes'

"/etc/idmapd.conf"? Do they all have "Domain = abc.com.au" like the

one that you posted earlier?

yep both idmapd.conf are meant to be the same*




>> Do "/var/log/messages" and a verbose mount give you any information on

>> the failure?
no nothing*
>>

> so i tried a mount -v ? is that what you meant by verbose, the only thing I

> got was

> Mar 20 13:37:27 max rpc.idmapd[19081]: nss_getpwnam: name 'nobody' does not

> map into domain 'samad.com.au'



You can use "-vvv" but it's pretty clear that you have an idmapd problem.


I will try that thanks*


> got me thinking my nsswitch and some other libraries are not update on

> server B this is the one serving up the bad mount



Is "/etc/nsswitch.conf" the same on your two boxes? Does "getent

hosts" list all of your hosts and their ip addresses? Can you query

LDAP for hostnames on all your boxes?
yep and getent passwd and getent shadow and getent group are the same !*





>> (What's the "localdoman" variable in :/etc/idmapd.conf" for?)

>

> don't know !



I've never seen "localdomain/localdoman" as an "/etc/idmapd.conf" stanza.
okay, I think it was in there as part of the default
I have to try and get the box to boot now, after the update to the kernal and system files its not boot ;(*


[snip]*
 
Old 03-24-2012, 01:32 AM
Alexander Samad
 
Default Issues with nfs v4 and security

[snip]*
> Mar 20 13:37:27 max rpc.idmapd[19081]: nss_getpwnam: name 'nobody' does not

> map into domain 'samad.com.au'



You can use "-vvv" but it's pretty clear that you have an idmapd problem.


I will try that thanks*


> got me thinking my nsswitch and some other libraries are not update on

> server B this is the one serving up the bad mount



Is "/etc/nsswitch.conf" the same on your two boxes? Does "getent

hosts" list all of your hosts and their ip addresses? Can you query

LDAP for hostnames on all your boxes?
yep and getent passwd and getent shadow and getent group are the same !*






>> (What's the "localdoman" variable in :/etc/idmapd.conf" for?)

>

> don't know !



I've never seen "localdomain/localdoman" as an "/etc/idmapd.conf" stanza.
okay, I think it was in there as part of the default
I have to try and get the box to boot now, after the update to the kernal and system files its not boot ;(*



[snip]*

finaly got it to reboot and login... it is all working now. I use nslcd and it had clear the rootpw from the config file, so I wasn't getting all the UID/GID's fixed that and update my system files and all is good.

also used the mount -vvvv that help a bit as well
Thanks
 

Thread Tools




All times are GMT. The time now is 05:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org