Friday, August 5, 2011

NFS4 nobody permissions




NFS4 nobody permissions


When the NFS share is mounted in a client, the permissions are displayed as nobody. If this is in NFS4, it is because of the new representation of users and group information between the systems. 


(MyClient:/)# mount -F nfs MyServer:/root/application/archive /application/archive
nfs mount: mount: /application/archive: Permission denied

(MyClient:/)# nslookup MyClient
Server:         175.21.86.11
Address:        175.21.86.11#53

Name:   MyClient.bc
Address: 177.10.7.11

The share is not ok.


(MyServer:/)# vi /etc/dfs/dfstab
"/etc/dfs/dfstab" 12 lines, 763 characters

#       Place share(1M) commands here for automatic execution
#       on entering init state 3.
#
#       Issue the command '/etc/init.d/nfs.server start' to run the NFS
#       daemon processes and the share commands, after adding the very
#       first entry to this file.
#
#       share [-F fstype] [ -o options] [-d ""] [resource]
#       .e.g,
#       share  -F nfs  -o rw=engineering  -d "home dirs"  /export/home2
#
share -F nfs -o rw=MyClient.bc,anon=0 /root/application/archive
~
~~
~
"/etc/dfs/dfstab" 12 lines, 775 characters
(MyServer:/)#
(MyServer:/)# shareall
(MyServer:/)#


Now the dir is shared.



In the client, NFS is now mounted

(MyClient:/)# mount -F nfs MyServer:/root/application/archive /application/archive
(MyClient:/)#
(MyClient:/)#
(MyClient:/)# df -h /application/archive
Filesystem             size   used  avail capacity  Mounted on
MyServer:/root/application/archive
                       880G   720G   153G    83%    /application/archive
(MyClient:/)# grep /application/archive /etc/mnttab
MyServer:/root/application/archive     /application/archive   nfs     rw,nodevices,xattr,zone=MyClient,dev=59412eb    1361790688
(MyClient:/)# ls -ld /application/archive
drwxr-xr-x+ 36 nobody   nobody      1024 Oct  5 18:55 /application/archive



Solaris handles one NFSv4 domain. 
If the client or server receives an user/group string that does not match its domain, it will map that user/group into uid/gid "nobody" (60001).



(MyClient:/)# grep NFSMAPID_DOMAIN /etc/default/nfs
NFSMAPID_DOMAIN=mywrongdomain.com //wrong domain
(MyClient:/)#
(MyClient:/)#
(MyClient:/)# cp /etc/default/nfs /etc/default/nfs.old
(MyClient:/)# vi /etc/default/nfs


# Specifies to nfsmapid daemon that it is to override its default
# behavior of using the DNS domain, and that it is to use 'domain' as
# the domain to append to outbound attribute strings, and that it is to
# use 'domain' to compare against inbound attribute strings.
NFSMAPID_DOMAIN=nfscorrectdomain.nfs //Correct nfs domain that can map the user/group
~
~


Restart the nfs mapid

(MyClient:/)# svcs -a|grep mapid
online         Feb_07   svc:/network/nfs/mapid:default
(MyClient:/)# svcadm restart /network/nfs/mapid
(MyClient:/)#
(MyClient:/)# svcs -a|grep mapid
online         12:13:36 svc:/network/nfs/mapid:default
(MyClient:/)#


(MyClient:/)# ls -ld /application/archive
drwxr-xr-x+ 36 applicationload applicationgr      1024 Oct  5 18:55 /application/archive
(MyClient:/)#

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)