Olav Gjerde
2012-Feb-05 11:50 UTC
Why do I get 32767 id mapping when using NSFv4 with LDAP?
I've configured a server with 9-STABLE compiled late january. I've played a bit with NFSv4 and it works great. Except that I can't get it to play nice with OpenLDAP. If I mirror the passwd and group files between the client and server the mapping is correct. If I add pam_ldap to the /etc/pam.d/system file it works fine on both systems when I browse local files, however NFSv4 map both the uid and gid as 32767. The files should belong to user olav with uid and gid 1001. Do anyone how I can get this to work properly? At least what I should look into? Do I need kerberos?
Rick Macklem
2012-Feb-05 15:49 UTC
Why do I get 32767 id mapping when using NSFv4 with LDAP?
Olav Gjerde wrote:> I've configured a server with 9-STABLE compiled late january. I've > played a bit with NFSv4 and it works great. Except that I can't get it > to play nice with OpenLDAP. If I mirror the passwd and group files > between the client and server the mapping is correct. If I add > pam_ldap to the /etc/pam.d/system file it works fine on both systems > when I browse local files, however NFSv4 map both the uid and gid as > 32767. The files should belong to user olav with uid and gid 1001. Do > anyone how I can get this to work properly? At least what I should > look into? Do I need kerberos?Nope, you shouldn't need Kerberos. The 32767 is what you get when it can't find a mapping. All nfsuserd does is call the library functions like getpwuid()/getpwname() to get a mapping for a uid when it gets an upcall from the kernel asking for a mapping for that uid/user. I've never used ldap, so I can't help with that except to suggest that, for some reason, the libc calls aren't working. You can run nfsuserd with "-verbose" and it will log all mapping attempts. (Maybe what it logs in /var/log/messages will give you a hint.) You can also "tcpdump -s 0 -w xxx host <server or client>" and then look at "xxx" in wireshark. Then, look in the Getattr reply and see what the Owner and Owner_group replies look like. This will tell you if it is the server that isn't doing the mappings or the client after it receives the name. (For Getattr, the server should translate uid/gid to <name>@<your.dns.domain> and then the client should turn that back into the same uid/gid.) Good luck with it, rick