<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div dir="ltr" >Thank you Andy for the root cause analysis. It looks like a bug in manage gids code where it should set the group list to anonynous_gid if the uid is not found instead of actually failing the request. I will post a patch upstream.</div>
<div dir="ltr" > </div>
<div dir="ltr" >The file should be created whether the above setting is true or not, but please note that with that setting the gid of the file would be -2 (depends on your anonymous gid config). The uid should be same in either case.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Regards, Malahal.</div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: Andy Kurth <andy_kurth@ncsu.edu><br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>Cc:<br>Subject: Re: [gpfsug-discuss] does ganesha deny access for unknown UIDs?<br>Date: Fri, Jan 25, 2019 9:40 PM<br>
<div dir="ltr" ><div dir="ltr" ><div dir="ltr" ><div dir="ltr" ><div style="font-family:arial,helvetica,sans-serif" >I believe this is occurring because of the manage_gids=TRUE setting. The purpose of this setting is to overcome the AUTH_SYS 16 group limit. If true, Ganesha takes the UID and resolves all of the GIDs on the server. If false, the GIDs sent by the client are used. </div>
<div style="font-family:arial,helvetica,sans-serif" > </div>
<div style="font-family:arial,helvetica,sans-serif" >I ran a quick test by creating a local user on the client and exporting 2 shares with 777 permissions, one with manage_gids=TRUE and one with FALSE.</div>
<div style="font-family:arial,helvetica,sans-serif" > </div>
<div style="font-family:arial,helvetica,sans-serif" >The user could view the share and create files with manage_gids=FALSE. ganesha.log showed that it tried and failed to resolve the UID to a name, but allowed the operation nonetheless:</div>
<div style="font-family:arial,helvetica,sans-serif" > </div>
<div><div><font face="monospace, monospace" >2019-01-25 10:19:03 : epoch 0001004c : gpfs-proto.domain : ganesha.nfsd-123297[work-30] xdr_encode_nfs4_princ :ID MAPPER :INFO :nfs4_uid_to_name failed with code -2.</font></div>
<div><font face="monospace, monospace" >2019-01-25 10:19:03 : epoch 0001004c : gpfs-proto.domain : ganesha.nfsd-123297[work-30] xdr_encode_nfs4_princ :ID MAPPER :INFO :Lookup for 779 failed, using numeric owner</font></div>
<div> </div>
<div><font face="arial, helvetica, sans-serif" >With </font><span style="font-family:arial,helvetica,sans-serif" >manage_gids=TRUE, the client received permission denied and ganesha.log showed the GID query failing:</span></div>
<div> </div>
<div><font face="monospace, monospace" >2019-01-25 10:19:27 : epoch 0001004c : gpfs-proto.domain : ganesha.nfsd-123297[work-39] uid2grp_allocate_by_uid :ID MAPPER :INFO :No matching password record found for uid 779</font></div>
<div><font face="monospace, monospace" >2019-01-25 10:19:27 : epoch 0001004c : gpfs-proto.domain : ganesha.nfsd-123297[work-39] nfs_req_creds :DISP :INFO :Attempt to fetch managed_gids failed</font></div>
<div> </div>
<div style="font-family:arial,helvetica,sans-serif" >Hope this helps,</div>
<div style="font-family:arial,helvetica,sans-serif" >Andy Kurth / NC State University</div></div></div></div></div></div>
<div><div dir="ltr" >On Thu, Jan 24, 2019 at 9:36 AM Billich Heinrich Rainer (PSI) <<a href="mailto:heiner.billich@psi.ch" target="_blank">heiner.billich@psi.ch</a>> wrote:</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" ><div lang="EN-US" ><div><p><span style="font-size:11pt" >Hello,</span></p>
<p><span style="font-size:11pt" > </span></p>
<p><span style="font-size:11pt" >a local account on a nfs client couldn’t write to a ganesha nfs export even with directory permissions 777. The solution was to create the account on the ganesha servers, too.</span></p>
<p><span style="font-size:11pt" > </span></p>
<p><span style="font-size:11pt" >Please can you confirm that this is the intended behaviour? is there an option to change this and to map unknown accounts to nobody instead? We often have embedded Linux appliances or similar as nfs clients which need to place some data on the nfs exports using uid/gid of local accounts.</span></p>
<p><span style="font-size:11pt" > </span></p>
<p><span style="font-size:11pt" >We manage gids on the server side and allow NFS v3 client access only.</span></p>
<p><span style="font-size:11pt" > </span></p>
<p><span style="font-size:11pt" >I crosspost this to ganesha support and to the gpfsug mailing list.</span></p>
<p><span style="font-size:11pt" > </span></p>
<p><span style="font-size:11pt" >Thank you,</span></p>
<p><span style="font-size:11pt" > </span></p>
<p><span style="font-family:-webkit-standard;color:black" >Heiner Billich</span></p>
<p><span style="font-family:-webkit-standard;color:black" > </span></p>
<p><span style="font-family:-webkit-standard;color:black" >ganesha version: 2.5.3-ibm028.00.el7.x86_64 </span></p>
<p><span style="font-family:-webkit-standard;color:black" > </span></p>
<p><span style="font-family:-webkit-standard;color:black" >the ganesha config</span></p>
<p><span style="font-family:-webkit-standard;color:black" > </span></p>
<p><span style="font-family:-webkit-standard;color:black" >CacheInode</span></p>
<p><span style="font-family:-webkit-standard;color:black" >{</span></p>
<p><span style="font-family:-webkit-standard;color:black" > fd_hwmark_percent=60;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > fd_lwmark_percent=20;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > fd_limit_percent=90;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > lru_run_interval=90;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > entries_hwmark=1500000;</span></p>
<p><span style="font-family:-webkit-standard;color:black" >}</span></p>
<p><span style="font-family:-webkit-standard;color:black" >NFS_Core_Param</span></p>
<p><span style="font-family:-webkit-standard;color:black" >{</span></p>
<p><span style="font-family:-webkit-standard;color:black" > clustered=TRUE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > rpc_max_connections=10000;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > heartbeat_freq=0;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > mnt_port=33247;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > nb_worker=256;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > nfs_port=2049;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > nfs_protocols=3,4;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > nlm_port=33245;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > rquota_port=33246;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > rquota_port=33246;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > short_file_handle=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > mount_path_pseudo=true;</span></p>
<p><span style="font-family:-webkit-standard;color:black" >}</span></p>
<p><span style="font-family:-webkit-standard;color:black" >GPFS</span></p>
<p><span style="font-family:-webkit-standard;color:black" >{</span></p>
<p><span style="font-family:-webkit-standard;color:black" > fsal_grace=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > fsal_trace=TRUE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" >}</span></p>
<p><span style="font-family:-webkit-standard;color:black" >NFSv4</span></p>
<p><span style="font-family:-webkit-standard;color:black" >{</span></p>
<p><span style="font-family:-webkit-standard;color:black" > delegations=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > domainname=<a href="http://virtual1.com" target="_blank">virtual1.com</a>;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > grace_period=60;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > lease_lifetime=60;</span></p>
<p><span style="font-family:-webkit-standard;color:black" >}</span></p>
<p><span style="font-family:-webkit-standard;color:black" >Export_Defaults</span></p>
<p><span style="font-family:-webkit-standard;color:black" >{</span></p>
<p><span style="font-family:-webkit-standard;color:black" > access_type=none;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > anonymous_gid=-2;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > anonymous_uid=-2;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > manage_gids=TRUE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > nfs_commit=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > privilegedport=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > protocols=3,4;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > sectype=sys;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > squash=root_squash;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > transports=TCP;</span></p>
<p><span style="font-family:-webkit-standard;color:black" >}</span></p>
<p><span style="font-family:-webkit-standard;color:black" > </span></p>
<p><span style="font-family:-webkit-standard;color:black" >one export</span></p>
<p><span style="font-family:-webkit-standard;color:black" > </span></p>
<p><span style="font-family:-webkit-standard;color:black" ># === START /**** id=206 nclients=3 ===</span></p>
<p><span style="font-family:-webkit-standard;color:black" >EXPORT {</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Attr_Expiration_Time=60;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Delegations=none;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Export_id=206;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Filesystem_id=42.206;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > MaxOffsetRead=18446744073709551615;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > MaxOffsetWrite=18446744073709551615;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > MaxRead=1048576;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > MaxWrite=1048576;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Path="/****";</span></p>
<p><span style="font-family:-webkit-standard;color:black" > PrefRead=1048576;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > PrefReaddir=1048576;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > PrefWrite=1048576;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Pseudo="/****";</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Tag="****";</span></p>
<p><span style="font-family:-webkit-standard;color:black" > UseCookieVerifier=false;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > FSAL {</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Name=GPFS;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > }</span></p>
<p><span style="font-family:-webkit-standard;color:black" > CLIENT {</span></p>
<p><span style="font-family:-webkit-standard;color:black" > # === ****/X12SA ===</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Access_Type=RW;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Anonymous_gid=-2;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Anonymous_uid=-2;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Clients=X.Y.A.B/24;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Delegations=none;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Manage_Gids=TRUE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > NFS_Commit=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > PrivilegedPort=FALSE;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Protocols=3;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > SecType=SYS;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Squash=Root;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > Transports=TCP;</span></p>
<p><span style="font-family:-webkit-standard;color:black" > }</span></p>
<p><span style="font-family:-webkit-standard;color:black" >….</span></p>
<p><span style="font-family:-webkit-standard;color:black" >--</span></p>
<p><span style="font-family:Courier;color:black" >Paul Scherrer Institut</span></p>
<p><span style="font-family:Courier;color:black" >Heiner Billich </span></p>
<p><span style="font-family:Courier;color:black" >System Engineer Scientific Computing</span></p>
<p><span style="font-family:Courier;color:black" >Science IT / High Performance Computing </span></p>
<p><span style="font-family:Courier;color:black" >WHGA/106 </span></p>
<p><span style="font-family:Courier;color:black" >Forschungsstrasse 111</span></p>
<p><span style="font-family:Courier;color:black" >5232 Villigen PSI</span></p>
<p><span style="font-family:Courier;color:black" >Switzerland</span></p>
<p><span style="font-family:Courier;color:black" > </span></p>
<p><span style="font-family:Courier;color:black" >Phone +41 56 310 36 02</span></p>
<p><span style="font-family:Courier;color:black" ><a href="mailto:heiner.billich@psi.ch" target="_blank"><span style="color:rgb(5,99,193)" >heiner.billich@psi.ch</span></a> </span></p>
<p><span style="font-family:Courier;color:black" ><a href="https://www.psi.ch" target="_blank">https://www.psi.ch</a></span></p>
<p><span style="font-family:Courier;color:black" > </span></p>
<p> </p></div></div>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at <a href="http://spectrumscale.org" rel="noreferrer" target="_blank">spectrumscale.org</a><br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" rel="noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></blockquote></div>
<div> </div>--
<div dir="ltr" ><div dir="ltr" ><div><div dir="ltr" ><div><div dir="ltr" ><div><div dir="ltr" ><b><font face="arial, helvetica, sans-serif" >Andy Kurth</font></b>
<div><font face="arial, helvetica, sans-serif" >Research Storage Specialist</font></div>
<div><span style="font-family:arial,helvetica,sans-serif;font-size:12.8px" >NC State University</span></div>
<div><font face="arial, helvetica, sans-serif" >Office of Information Technology</font></div>
<div> </div>
<div>P: 919-513-4090</div>
<div><font face="arial, helvetica, sans-serif" >311A Hillsborough Building</font></div>
<div><span style="font-family:arial,helvetica,sans-serif;font-size:12.8px" >Campus Box 7109</span></div>
<div><font face="arial, helvetica, sans-serif" >Raleigh, NC 27695</font></div></div></div></div></div></div></div></div></div>
<div><font face="Default Monospace,Courier New,Courier,monospace" size="2" >_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></div></blockquote>
<div dir="ltr" > </div></div><BR>