NFS4: Write permission denied, mounted as rw

[brendanmac]

Hello,

I have nfs4 configured between a RHEL 5.3 server (charlie) and a RHEL 5.3 client (simcom1). The machines are configured to authenticate users via kerberos by a Windows Server 2008 active directory machine called "alpha." Alpha also serves as a dns and dhcp machine for the local network.

I notice that when a user logs in to a RHEL machine for the first time they are issued a unique uid to that machine; The first user to log on gets 10001. So, what I see is that users between simcom1 and charlie have different UIDs. When a user does an 'ls -la' command from within an nfs4 mount I would have thought that the usernames in the owner column would indicate 'nobody' or at least the wrong user name - since UIDs are different between the machines for each user, and not all users have logged into each machine. However, the simcom1 is able to resolve usernames in an 'ls -la' executed on files residing on charlie via nfs4 correctly. Most troubling is that users are unable to write to files across the nfs mount.

The server, charlie, has the root directory exported as rw. The client, simcom1, mounts the export as rw. My configurations are shown below.

My question is, how do I configure the RHEL machines to allow users to write files across nfs4 that is already mounted as read/write?

Code:

[root-at-charlie ~]# more /etc/exports
/ 10.100.0.0/16(rw,no_root_squash,fsid=0)

[root-at-charlie ~]#cat /etc/sysconfig/nfs
#
# Define which protocol versions mountd
# will advertise. The values are "no" or "yes"
# with yes being the default
#MOUNTD_NFS_V1="no"
#MOUNTD_NFS_V2="no"
#MOUNTD_NFS_V3="no"
#
#
# Path to remote quota server. See rquotad(8)
#RQUOTAD="/usr/sbin/rpc.rquotad"
# Port rquotad should listen on.
#RQUOTAD_PORT=875
# Optinal options passed to rquotad
#RPCRQUOTADOPTS=""
#
#
# TCP port rpc.lockd should listen on.
#LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
#LOCKD_UDPPORT=32769
#
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
# Turn off v2 and v3 protocol support
#RPCNFSDARGS="-N 2 -N 3"
# Turn off v4 protocol support
#RPCNFSDARGS="-N 4"
# Number of nfs server processes to be started.
# The default is 8.
RPCNFSDCOUNT=8
# Stop the nfsd module from being pre-loaded
#NFSD_MODULE="noload"
#
#
# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
#STATDARG=""
#RPCMOUNTDOPTS=""
# Port rpc.mountd should listen on.
#MOUNTD_PORT=892
#
#
# Optional arguments passed to rpc.statd. See rpc.statd(8)
#RPCIDMAPDARGS=""
#
# Set to turn on Secure NFS mounts.
SECURE_NFS="no"
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
#RPCGSSDARGS="-vvv"
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
#RPCSVCGSSDARGS="-vvv"
# Don't load security modules in to the kernel
#SECURE_NFS_MODS="noload"
#
# Don't load sunrpc module.
#RPCMTAB="noload"
#

[root-at-simcom1 ~]# cat /etc/fstab
--start snip--
charlie:/home /usr/local/dev/charlie nfs4 rw,nosuid, 0 0
--end snip--

[brendanmac-at-simcom1 /usr/local/dev/charlie/brendanmac]# touch file
touch: cannot touch 'file': Permission denied
[brendanmac-at-simcom1 /usr/local/dev/charlie/brendanmac]# su
Password:
[root-at-simcom1 /usr/local/dev/charlie/brendanmac]# touch file
[root-at-simcom1 /usr/local/dev/charlie/brendanmac]# ls -la file
-rw------- 1 root root 0 May 26 10:43 file

Please forgive the at sign's were changed to "-at-" because the forum would not let me post what it considered URL's before I've had 15 posts.

Thank you for your assistance,
Brendan

[dilbert]

I also got read-only access despite having "rw" specified in the "/etc/exports" file.

I found a paper from Oracle where they suggest to find out the IDs with the program "id" and then do a "chown <uid>:<gid> /directory" where directory is the exported directory in "/etc/exports".

[brendanmac]

Thank you for your response. I haven't gotten any help through the RedHat support we pay for, nor from another forum.

I'm fairly certain it's a UID problem, I can't chown the directories/files since that would make it so the user can not edit the files on the actual machine they reside on.

I've got kerberos authentication set up for gdm and ssh, and tried to get the nfs4 to mount with kerberos enabled - but I get a "Starting RPC svcgssd [FAILED]" message when I restart nfs with the conf file set secure=yes. I think one reason is I can't get the kadmin commands to add the principle. Any ideas on how to configure an nfs principle to a Windows Server 2008 box?

The following are one of many variations on the commands that I've tried; all of which fail.

Code:

kadmin addprinc -randkey nfs/simcom1.[mydomain]
ktadd -e des-cbc-crc:normal -k /tmp/keytab

I am under the wire to get a read/write share set up so development/testing can continue on our deliverable hardware.

I haven't gotten anywhere with this, so I am going to have to move on and try samba shares. Ideas from others are still welcome; I'd still like to solve this problem.

I also got read-only access despite having "rw" specified in the "/etc/exports" file.

I found a paper from Oracle where they suggest to find out the IDs with the program "id" and then do a "chown <uid>:<gid> /directory" where directory is the exported directory in "/etc/exports".