[CentOS] CentOS 7 NFS client problems

Thu Apr 23 20:11:08 UTC 2015
Devin Reade <gdr at gno.org>

#define TL;DR

Despite idmapd running, usernames/IDs don't get mapped properly.
Looking for a workaround.

#undef TL;DR

I'm trying to get a new CentOS 7.1 workstation running, and having
some problems with NFS filesystems.  The server is a fully patched
CentOS 6 server.

On the NFS filesystem, there are two subdirectories owned by a
regular user (joe). (There are actually more and by multiple users, but
I'll just show the two.) That user exists on both the NFS server and this
CentOS 7 NFS client.  However, the user on the client machine is unable
to perform various operations.  (The operations work when logged into
the server.)

$ whoami
joe
$ cd /nfs
$ ls -l
drwx------. 6 joe    joe     4096 Apr 23 11:20 one
drwxr-xr-x. 4 joe    joe     4096 Dec 14  2011 two
$ cd one
one: Permission denied.
$ cd two
$ ls
subdir1 subdir2
$ touch testfile
touch: cannot touch testfile: Permission denied

mount(1) shows that the filesystem is mounted rw.  The server has it
exported rw to the entire subnet.  Other machines (CentOS 5) mount
the same filesystems without a problem.

Looks a lot like an idmapd issue, right?

On the server:
# id joe
uid=501(joe) gid=501(joe) groups=501(joe)

Back on the client:

$ ps auxww | grep idmap | grep -v grep
$ id joe
uid=1000(joe) gid=1000(joe) groups=1000(joe)
$ cd /nfs
$ ls -n
drwx------. 6 1000 1000  4096 Apr 23 11:20 one
drwxr-xr-x. 4 1000 1000  4096 Dec 14  2011 two

So it looks like even though the name/UID mapping is correct even though
the idmapd daemon isn't running on the client.  (It looks like CentOS7
only starts idmapd when it's running an NFS *server*.)

# systemctl list-units | grep nfs
nfs.mount                    loaded active mounted   /nfs
proc-fs-nfsd.mount           loaded active mounted   NFSD configuration 
filesystem
var-lib-nfs-rpc_pipefs.mount loaded active mounted   RPC Pipe File System
nfs-config.service           loaded active exited    Preprocess NFS 
configuration
nfs-client.target            loaded active active    NFS client services

The behavior was tested again with SELinux in permissive mode; no change.

Splunking a bit more shows some similar behavior for other distros:
  <https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/966734>
  <https://bugzilla.linux-nfs.org/show_bug.cgi?id=226>

Yep, this is a situation where LDAP and Kerberos aren't in play. And
the CentOS 5, CentOS 6, and other UNIXen boxes are using consistent
UID/GID mappings.  However, CentOS7 (well, RHEL7) changed the minimum
UID/GID for regular accounts, so when the account was created on the
latter, the UID is out of sync.  So much for idmapd (without the
fixes involved in the above URLs).

Has anyone else run into this and have a solution other than forcing
UIDs to match?

Devin