I was able to solve the problem. All the “instructions” you find on the net claim the following:
- The option no_root_squash does not work if sec=krb5…
- You have to pass nfsv4_disable_idmapper = N to the kernel module (nfs / nfsd) on both the server and the client.
- And then a static mapping in idmad.conf like:
root@localdomain = root
in idmad.conf.
I can’t tell if this is just crap or it used to be this way in older versions. I’ve been reading man pages for 4 days and checked pretty much every deamon involved.
On the Samba mailing list the problem could be solved and it is quite simple. It’s just a small adjustment in idmapd.conf for the machine account.
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = gehr.lan
[Translation]
GSS-Methods = static,nsswitch
[Static]
PC001$@GEHR.LAN = root
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
Then no_root_squash also works as usual and I can become root on the client and still access the NFS share.
I still want to check whether this really has to happen for each client individually or whether it can also be formulated so that it applies to all clients in the domain.