NFS4 no_root_squash does not take effect

Linux Clients
#1

Hi@all,

I am currently testing NFS4 with the UCS5. I may also have a problem understanding.

If I export a file system with the option ‘no_root_squash’ on the NFS server, I should have access to this mount on the client as the user ‘root’, right?

I don’t know if the file system below the export is relevant. I mention it because I have always used EXT4. But now I use XFS. The mount options of the home partition on the server are ‘default’.

UCS-Server 5

/etc/exports

"/home" -rw,no_root_squash,sync,no_subtree_check,sec=krb5i

Linuxmint 20.3

On the client, I mount the export without any special options. I always do this at the beginning to see what the client and server negotiate with each other.

mount -t nfs4 -o sec=krb5i srv01.gehr.lan:/home /home

As a result, the client mounts the export as follows:

srv01.gehr.lan:/home/s.gehr on /home/s.gehr type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5i,mountaddr=192.168.83.5,mountvers=3,mountport=32767,mountproto=udp,local_lock=none,addr=192.168.83.5)

If I open a shell on the client and become root with ‘su’, I cannot see the contents of the user homes.

root@pc001:/home/s.gehr# ls
ls: Öffnen von Verzeichnis '.' nicht möglich: Keine Berechtigung

The option ‘no_root_squash’ should allow exactly that, right?

with best
sven

#2

I would say the option doesn’t make any sense in normal setups when kerberos is used because normally there is no user principal for the user root.

#3

I was able to solve the problem. All the “instructions” you find on the net claim the following:

  • The option no_root_squash does not work if sec=krb5…
  • You have to pass nfsv4_disable_idmapper = N to the kernel module (nfs / nfsd) on both the server and the client.
  • And then a static mapping in idmad.conf like:

root@localdomain = root

in idmad.conf.

I can’t tell if this is just crap or it used to be this way in older versions. I’ve been reading man pages for 4 days and checked pretty much every deamon involved.

On the Samba mailing list the problem could be solved and it is quite simple. It’s just a small adjustment in idmapd.conf for the machine account.

[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = gehr.lan

[Translation]
GSS-Methods = static,nsswitch

[Static]
PC001$@GEHR.LAN = root

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

Then no_root_squash also works as usual and I can become root on the client and still access the NFS share.

I still want to check whether this really has to happen for each client individually or whether it can also be formulated so that it applies to all clients in the domain.

1 Like
Mastodon