[CentOS] [Samba] Samba4 and NFSv4

Thu Jun 20 20:57:18 UTC 2013
Steve Thompson <smt at vgersoft.com>

On Thu, 20 Jun 2013, steve wrote:

Thanks for your reply! I am really pulling my hair out over this one, and 
I don't have that much left :(

> What do you have in /etc/idmapd.conf

The content of this file is correct as far as I understand it, as it works 
with NFSv3 and NFSv4 with sec=sys:

[General]
Verbosity = 0
Domain = icse.cornell.edu
Local-Realms = TITAN.TEST.CORNELL.EDU

[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

(and I have nsswitch.conf correctly configured).

Note: in my case, the value of Domain in idmapd.conf is NOT the same as 
the DNS domain name. But as I understand it, as long as it is the same on 
all servers and clients, this should not matter, as it is just a label. I 
tried setting it to the DNS domain name, but it didn't make any 
difference. And changing it on just the server and not the clients leaves 
all ownerships as being nobody:nobody instead of the proper ownerships, 
which is (a) expected, and (b) leads me to believe that rpc.idmapd is 
working as it should. Starting rpc.idmapd with -vvv dumps the mappings to 
/var/log/messages, and they are correct. In any case, clients don't all 
have the same DNS domain name.

> What does ps aux | grep rpc give?

rpc       1616  0.0  0.0  18972   992 ?        Ss   Jun18   0:00 rpcbind
rpcuser   1649  0.0  0.0  25420  1380 ?        Ss   Jun18   0:00 rpc.statd
root      1678  0.0  0.0      0     0 ?        S    Jun18   0:00 [rpciod/0]
root      1679  0.0  0.0      0     0 ?        S    Jun18   0:01 [rpciod/1]
root      5789  0.0  0.0  50112  2072 ?        Ss   12:06   0:00 rpc.svcgssd -vvv
root      5795  0.0  0.0 107304   276 ?        Ss   12:06   0:00 rpc.rquotad
root      5799  0.0  0.0  22832  2560 ?        Ss   12:06   0:00 rpc.mountd --no-nfs-version 2
root      5850  0.0  0.0  36900  1048 ?        Ss   12:06   0:00 rpc.idmapd -vvv
root      8807  0.0  0.0  37340  2556 ?        Ss   16:37   0:00 rpc.gssd -vvv

All the expected daemons are present, including rpc.gssd and rpc.svcgssd. 
I have rpc.svcgssd running on the clients too, although it should not be 
necessary there (but the CentOS init scripts don't give the option to not 
start it).

> Can the user browse using nfs3?
> mount -t nfs3 -o sec=krb5 <server_fqdn>:/data /mnt

No; exactly the same result as NFSv4. But yes with sec=sys.

> Have a look at the gotchas. There's loadsa wrong info abut kerberos and 
> nfs4: http://linux-nfs.org/wiki/index.php/Nfsv4_configuration

That's one of the many articles that I've read (several times). I don't 
see anything wrong in what I have done (btw, I don't agree that the fsid=0 
export should be mode 1777, and I don't agree that your first exports 
example is the proper way to do it. But in any event I have tried those 
too, to no effect).

Steve
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba