# nfs4 and no authorization

## LinuxTom

Now, when I finally mount the appropriate user, but only root can write. For others, it is read-only. Also for the mapped user "vdr". Can someone give me as a tip, could be where the error? Or how to find out?

```
ls -la /var/vdr/video/

insgesamt 23612

drwxr-xr-x 15 vdr vdr      736 19. Feb 10:55 .

drwxr-xr-x  8 vdr vdr     4096 18. Feb 20:49 ..

-rw-r--r--  1 vdr vdr        0 19. Feb 10:55 .update

-rw-r--r--  1 vdr vdr 24144630 19. Feb 10:46 epg.data

-rw-r--r--  1 vdr vdr      323 19. Feb 09:52 h.1

-rw-r--r--  1 vdr vdr      297 12. Feb 23:07 xineliboutput@192.168.1.2.sdp
```

```
ls -l > /var/vdr/video/test.txt

-su: /var/vdr/video/test.txt: Keine Berechtigung
```

```
grep vdr /etc/fstab

192.168.1.2:/video    /var/vdr/video    nfs4    auto,soft,bg,nosuid    0 0
```

```
df -m | grep vdr

192.168.1.2:/video           716779   70839    645940   10% /var/vdr/video
```

And on Server:

```
cat /etc/exports

# /etc/exports: NFS file systems being exported.  See exports(5).

/exports        192.168.1.0/255.255.255.0(rw,no_subtree_check,no_root_squash,async,fsid=0,secure,nohide)

/exports/video  192.168.1.0/255.255.255.0(rw,no_subtree_check,no_root_squash,async,nohide,secure,nohide)
```

----------

## pgu

what does mount return on the client?

----------

## LinuxTom

```
#~ mount /var/vdr/video/

#~ echo $?

0

# ~
```

Nothing else.

In messages:

```
Feb 19 13:08:20 wiesel rpc.idmapd[11037]: New client: 65

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt65/idmap

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: New client: 66

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_uid: calling nsswitch->name_to_uid

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nss_getpwnam: name 'root@vdr.zoo.tom' domain 'vdr.zoo.tom': resulting localname 'root'

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_uid: final return value is 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Client 65: (user) name "root@vdr.zoo.tom" -> id "0"

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: calling nsswitch->name_to_gid

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: final return value is 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Client 65: (group) name "root@vdr.zoo.tom" -> id "0"

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_uid: calling nsswitch->name_to_uid

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nss_getpwnam: name 'vdr@vdr.zoo.tom' domain 'vdr.zoo.tom': resulting localname 'vdr'

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_uid: final return value is 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Client 65: (user) name "vdr@vdr.zoo.tom" -> id "102"

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: calling nsswitch->name_to_gid

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: final return value is 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Client 65: (group) name "vdr@vdr.zoo.tom" -> id "410"

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: New client: 67

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Stale client: 66

Feb 19 13:08:20 wiesel rpc.idmapd[11037]:       -> closed /var/lib/nfs/rpc_pipefs/nfs/clnt66/idmap
```

And messages on server:

```
Feb 19 13:08:20 lux rpc.idmapd[7712]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=user

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_uid_to_name: calling nsswitch->uid_to_name

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_uid_to_name: final return value is 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: Server : (user) id "0" -> name "root@vdr.zoo.tom"

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=group

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_gid_to_name: calling nsswitch->gid_to_name

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_gid_to_name: final return value is 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: Server : (group) id "0" -> name "root@vdr.zoo.tom"

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=user

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_uid_to_name: calling nsswitch->uid_to_name

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_uid_to_name: final return value is 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: Server : (user) id "117" -> name "vdr@vdr.zoo.tom"

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=group

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_gid_to_name: calling nsswitch->gid_to_name

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: nfs4_gid_to_name: final return value is 0

Feb 19 13:08:20 lux rpc.idmapd[7712]: Server : (group) id "989" -> name "vdr@vdr.zoo.tom"
```

On both:

```
grep -v '^#' /etc/idmapd.conf | grep -v '^$'

[General]

Verbosity = 10

Domain = vdr.zoo.tom

Pipefs-Directory = /var/lib/nfs/rpc_pipefs

[Mapping]

Nobody-User = nobody

Nobody-Group = nobody

[Translation]

 

[Static]

[UMICH_SCHEMA]

LDAP_server = ldap-server.vdr.zoo.tom

LDAP_base = dc=vdr,dc=zoo,dc=tom
```

----------

## pgu

 *LinuxTom wrote:*   

> 
> 
> ```
> #~ mount /var/vdr/video/
> 
> ...

 

I was thinking 

```

mount | grep 'type nfs'
```

Then you will see some the effective options used.

----------

## LinuxTom

```
~# mount | grep 'nfs'

rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

nfsd on /proc/fs/nfsd type nfsd (rw,noexec,nosuid,nodev)

192.168.1.2:/video on /var/vdr/video type nfs4 (rw,nosuid,soft,bg,addr=192.168.1.2,clientaddr=192.168.1.5)
```

----------

## pgu

I just wanted to see rw there (but then I noticed that you said you did write as root)

do you log on as user vdr when you did the write (or just su to the user?), what does id say?

log in to client as vdr

```
id

touch /var/vdr/video/othertest
```

Unfortunately I have not used idcode default mapping myself so I don't think I can help.

----------

## LinuxTom

As root:

```
~# id

uid=0(root) gid=0(root) Gruppen=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

~# touch /var/vdr/video/othertest

~# ls -l /var/vdr/video/othertest

-rw-r--r-- 1 root root 0 19. Feb 13:52 /var/vdr/video/othertest
```

As vdr:

```
~# id

uid=102(vdr) gid=410(vdr) Gruppen=410(vdr),18(audio),19(cdrom),27(video)

~# touch /var/vdr/video/othertest

touch: kann „/var/vdr/video/othertest“ nicht berühren: Keine Berechtigung
```

On Server:

```
~# id

uid=0(root) gid=0(root) Gruppen=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
```

```
~# id

uid=117(vdr) gid=989(vdr) Gruppen=989(vdr),18(audio),19(cdrom),27(video)
```

----------

## pgu

As I said I'm not familiar with default id mapping, but what happens if you run touch as the user with uid=117 on the client? if it works it's likely a problem with the default mapping. But you might have tried this already.

----------

## LinuxTom

Is there some kind of trace module to see everything exactly? Possibly. also in a log file?

----------

## LinuxTom

 *pgu wrote:*   

> ... if you run touch as the user with uid=117 on the client? ...

 

It works.   :Question:   :Question:   :Question: 

----------

## LinuxTom

But not vor user "vdr".  :Sad:   :Crying or Very sad: 

----------

## pgu

 *LinuxTom wrote:*   

> Is there some kind of trace module to see everything exactly? Possibly. also in a log file?

 

```
OPTS_RPC_IDMAPD="-vvv" 

in

/etc/conf.d/nfs
```

or run it manually in the forground

```
/usr/sbin/rpc.idmapd -fvvv
```

----------

## pgu

 *LinuxTom wrote:*   

>  *pgu wrote:*   ... if you run touch as the user with uid=117 on the client? ... 
> 
> It works.    

 

Then you don't seem to have any mapping between them.

----------

## LinuxTom

Serverlog:

```
Feb 19 17:28:42 lux rpc.idmapd[4927]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=user

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_uid_to_name: calling nsswitch->uid_to_name

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_uid_to_name: final return value is 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: Server : (user) id "0" -> name "root@vdr.zoo.tom"

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=group

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_gid_to_name: calling nsswitch->gid_to_name

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_gid_to_name: final return value is 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: Server : (group) id "0" -> name "root@vdr.zoo.tom"

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=user

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_uid_to_name: calling nsswitch->uid_to_name

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_uid_to_name: final return value is 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: Server : (user) id "117" -> name "vdr@vdr.zoo.tom"

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfsdcb: authbuf=192.168.1.0/255.255.255.0 authtype=group

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_gid_to_name: calling nsswitch->gid_to_name

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: nfs4_gid_to_name: final return value is 0

Feb 19 17:28:42 lux rpc.idmapd[4927]: Server : (group) id "989" -> name "vdr@vdr.zoo.tom"
```

Server:

```
~# grep vdr /etc/passwd /etc/group

/etc/passwd:vdr:x:117:989:added by portage for gentoo-vdr-scripts:/var/vdr:/bin/bash

/etc/group:vdr:x:989:
```

Clientlog:

```
Feb 19 17:28:42 wiesel -bash: HISTORY: PID=4260 UID=0 /etc/init.d/rpc.idmapd restart

Feb 19 17:28:42 wiesel rpc.idmapd[6222]: Stale client: 15

Feb 19 17:28:42 wiesel rpc.idmapd[6222]:        -> closed /var/lib/nfs/rpc_pipefs/nfs/clnt15/idmap

Feb 19 17:28:42 wiesel rpc.idmapd[6222]: Stale client: 13

Feb 19 17:28:42 wiesel rpc.idmapd[6222]:        -> closed /var/lib/nfs/rpc_pipefs/nfs/clnt13/idmap

Feb 19 17:28:42 wiesel rpc.mountd[6258]: Caught signal 15, un-registering and exiting.

Feb 19 17:28:42 wiesel kernel: nfsd: last server has exited, flushing export cache

Feb 19 17:28:42 wiesel rpc.idmapd[6335]: libnfsidmap: using domain: vdr.zoo.tom

Feb 19 17:28:42 wiesel rpc.idmapd[6335]: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Expiration time is 600 seconds.

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Opened /proc/net/rpc/nfs4.nametoid/channel

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Opened /proc/net/rpc/nfs4.idtoname/channel

Feb 19 17:28:42 wiesel sm-notify[6357]: Version 1.2.5 starting

Feb 19 17:28:42 wiesel sm-notify[6357]: Already notifying clients; Exiting!

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: ReOpening /proc/net/rpc/nfs4.nametoid/channel

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: ReOpening /proc/net/rpc/nfs4.idtoname/channel

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: New client: 16

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Opened /var/lib/nfs/rpc_pipefs/nfs/clnt16/idmap

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: New client: 17

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_uid: calling nsswitch->name_to_uid

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nss_getpwnam: name 'root@vdr.zoo.tom' domain 'vdr.zoo.tom': resulting localname 'root'

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_uid: final return value is 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Client 16: (user) name "root@vdr.zoo.tom" -> id "0"

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_gid: calling nsswitch->name_to_gid

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_gid: final return value is 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Client 16: (group) name "root@vdr.zoo.tom" -> id "0"

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_uid: calling nsswitch->name_to_uid

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nss_getpwnam: name 'vdr@vdr.zoo.tom' domain 'vdr.zoo.tom': resulting localname 'vdr'

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_uid: final return value is 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Client 16: (user) name "vdr@vdr.zoo.tom" -> id "102"

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_gid: calling nsswitch->name_to_gid

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: nfs4_name_to_gid: final return value is 0

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Client 16: (group) name "vdr@vdr.zoo.tom" -> id "410"

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: New client: 18

Feb 19 17:28:42 wiesel rpc.idmapd[6336]: Stale client: 17

Feb 19 17:28:42 wiesel rpc.idmapd[6336]:        -> closed /var/lib/nfs/rpc_pipefs/nfs/clnt17/idmap

Feb 19 17:28:42 wiesel rpc.mountd[6371]: Version 1.2.5 starting

Feb 19 17:28:42 wiesel kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory

Feb 19 17:28:42 wiesel kernel: NFSD: starting 90-second grace period
```

Client:

```
~# grep vdr /etc/passwd /etc/group

/etc/passwd:vdr:x:102:410:added by portage for gentoo-vdr-scripts:/var/vdr:/bin/bash

/etc/group:vdr:x:410:
```

----------

## LinuxTom

And (on the client):

```
su - avahi

ls -l > video/h.3
```

Its works, but user avahi have id=117.

So absolutely no ID mapping

----------

## pgu

How to you get the uid and gid, or what is the output of

```
egrep ^passwd:\|^group: /etc/nsswitch.conf
```

on your client?

----------

## LinuxTom

```
passwd:      compat

group:       compat
```

But for user 117 (avahi) works. It is a false (or nonexistent) mapping.

----------

## pgu

Then it should get the uid/gid from the local /etc/passwd and /etc/group files. Maybe you should add some more vvv's to your rpc.idmapd options? Maybe you get some more clues where the mapping goes wrong.

----------

## LinuxTom

 *pgu wrote:*   

> Maybe you should add some more vvv's to your rpc.idmapd options?

 

The result is the same.

----------

## pgu

That means you probably have maximum verbosity then. I was hoping for even some more information. I don't know how a correct trace should look like, but looking at this:

```
Feb 19 13:08:20 wiesel rpc.idmapd[11037]: Client 65: (user) name "vdr@vdr.zoo.tom" -> id "102"

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: calling nsswitch->name_to_gid

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0

Feb 19 13:08:20 wiesel rpc.idmapd[11037]: nfs4_name_to_gid: final return value is 0 
```

It seems like the client picks up the correct id, but what puzzles me is "nsswitch->name_to_gid returned 0". I don't know if that means that its a successful return code or if the returned id of 102 suddenly mapped to 0 after some nsswitch function. Maybe somebody else with access to a trace on a working system would know?

----------

## LinuxTom

 *pgu wrote:*   

> ... maximum verbosity ...

 

```
root       713  0.0  0.0  25316   896 ?        Ss   Feb20   0:00 /usr/sbin/rpc.idmapd -c /etc/idmapd.conf -vvvvvv
```

I think that is the incoming id from the server to the client is detected and translated by idmap, but then "missing someone" who's that then for NFS running effectively.

----------

## Tinitus

 *LinuxTom wrote:*   

>  *pgu wrote:*   ... maximum verbosity ... 
> 
> ```
> root       713  0.0  0.0  25316   896 ?        Ss   Feb20   0:00 /usr/sbin/rpc.idmapd -c /etc/idmapd.conf -vvvvvv
> ```
> ...

 

Any Solutions yet?

----------

## LinuxTom

I gave up and got the User / Group ID's unified on my computers.

----------

