Redhat client displays nobody/nobody: Configuring IDMAP.CONF on Redhat to resolve the user/group name in NFS v4.1

  • Article

Finally we have a good new for the users who are looking to map Redhat users and group with Active directory users while using NFS v4.1 protocol.

As we all know that there are difference in behaviour when compared we NFS v4.1 to NFS v3. One of the key difference (mention below) was the way Windows was sending the response to the Unix.

  • With NFS v3, we are following the NFS RFC and sending the uidNumber/gidNumber for the users and group and hence the Linux client is able to resolve it.
  • With NFS v4.1, we are also following the new RFC and sending the input as user>@<domain ( fattr4_owner_group).

 

Now consider a scenario, where user mapping is configured through Adlookup (Active directory lookup). With NFS v3, once the mapping configuration is configured and proper NTFS permission is in place the user/group name are resolved correctly on both Windows and UNIX.

But with NFS v4.1, though everything is in place, but Windows would be sending the response in different format. Windows would be sending user@domain instead of the uid for the user and gid for the group. Hence the Unix machine are unable to resolve this response and displays
nobody/nobody when the file permission are listed.

From the windows side, if we run the nfsfile command, the correct user/group name are resolved and displayed.

Due to this there were lot of customer request coming in to fix this. But as Windows was following the NFS RFC for version 4.1, there was nothing much to be configured on the windows side. Based on our research, the configuration needed to be done on the Unix (Redhat for this scenario) side.

To fix the settings on the Redhat side, we started with our research. We observed the below from the logs collected:

 

From /var/log/messages on Redhat:

  • my-unix nfsidmap[]: nss_getpwnam: name 'testuser5@contoso' does not map into domain 'contoso.COM'
  • my-unix rpc.idmapd[]: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch

 

From the netmon trace, we could see that Windows is send the GetATTR response back to the Redhat in the format (user@domain).


 
  
  
  
  
  Then we started looking into the idmap.conf file and found the entry below:

Your local schema's attribute name to be used for NFSv4 user names (Default: NFSv4Name)

NFSv4_uid_attr

We were not sure, if this is causing the issue. Then we configured Kerberos as with NFS v 4.1 the server and client need to agree on the concepts like domain and realms. And eventually that also requires idmap configuration on the client side.

 

Then based on further research we were able to fix get the right settings needed to fix the issue. In the below example we have taken the following environment:

Environment:

  • Windows 2012 as member server , Server for NFS
  • Redhat 6.1 as NFS client
  • Windows 2008 R2 as DC

Steps:

  • No Kerberos required to be configured on Redhat side
  • Adlookup configured on Windows side for user/group mapping
  • Username has to be same across Windows and Linux
  • In the idmap.conf file we just need to add NetBios name of the domain ( as we are passing the inputs from NFS server as user@domain)

   a. Domain = contoso

 

Note: Restarting the idmapd daemon through the NFS services will not fix the issue. You would need to reboot the Linux machine so that it recreates/ rereads the below : ( /usr/lib64/libnfsidmap/nsswitch.so)

 

Once done, we were able to user/group names on both the windows and Unix side.