[gpfsug-discuss] does ganesha deny access for unknown UIDs?

Billich Heinrich Rainer (PSI) heiner.billich at psi.ch
Thu Jan 24 14:29:42 GMT 2019 

Hello,

a local account on a nfs client couldn’t write to a ganesha nfs export even with directory permissions 777. The solution was to create the account on the ganesha servers, too.

Please can you confirm that this is the intended behaviour? is there an option to change this and to map unknown accounts to nobody instead? We often have embedded Linux appliances or similar as nfs clients which need to place some data on the nfs exports  using uid/gid of local accounts.

We manage gids on the server side and allow NFS v3 client access only.

I crosspost this to ganesha support and to the gpfsug mailing list.

Thank you,

Heiner Billich

ganesha version: 2.5.3-ibm028.00.el7.x86_64

the ganesha config

CacheInode
{
        fd_hwmark_percent=60;
        fd_lwmark_percent=20;
        fd_limit_percent=90;
        lru_run_interval=90;
        entries_hwmark=1500000;
}
NFS_Core_Param
{
        clustered=TRUE;
        rpc_max_connections=10000;
        heartbeat_freq=0;
        mnt_port=33247;
        nb_worker=256;
        nfs_port=2049;
        nfs_protocols=3,4;
        nlm_port=33245;
        rquota_port=33246;
        rquota_port=33246;
        short_file_handle=FALSE;
        mount_path_pseudo=true;
}
GPFS
{
        fsal_grace=FALSE;
        fsal_trace=TRUE;
}
NFSv4
{
        delegations=FALSE;
        domainname=virtual1.com;
        grace_period=60;
        lease_lifetime=60;
}
Export_Defaults
{
        access_type=none;
        anonymous_gid=-2;
        anonymous_uid=-2;
        manage_gids=TRUE;
        nfs_commit=FALSE;
        privilegedport=FALSE;
        protocols=3,4;
        sectype=sys;
        squash=root_squash;
        transports=TCP;
}

one export

# === START /**** id=206 nclients=3 ===
EXPORT {
            Attr_Expiration_Time=60;
            Delegations=none;
            Export_id=206;
            Filesystem_id=42.206;
            MaxOffsetRead=18446744073709551615;
            MaxOffsetWrite=18446744073709551615;
            MaxRead=1048576;
            MaxWrite=1048576;
            Path="/****";
            PrefRead=1048576;
            PrefReaddir=1048576;
            PrefWrite=1048576;
            Pseudo="/****";
            Tag="****";
            UseCookieVerifier=false;
            FSAL {
                        Name=GPFS;
            }
            CLIENT {
                # === ****/X12SA ===
                        Access_Type=RW;
                        Anonymous_gid=-2;
                        Anonymous_uid=-2;
                        Clients=X.Y.A.B/24;
                        Delegations=none;
                        Manage_Gids=TRUE;
                        NFS_Commit=FALSE;
                        PrivilegedPort=FALSE;
                        Protocols=3;
                        SecType=SYS;
                        Squash=Root;
                        Transports=TCP;
            }
….
--
Paul Scherrer Institut
Heiner Billich
System Engineer Scientific Computing
Science IT / High Performance Computing
WHGA/106
Forschungsstrasse 111
5232 Villigen PSI
Switzerland

Phone +41 56 310 36 02
heiner.billich at psi.ch<mailto:heiner.billich at psi.ch>
https://www.psi.ch


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190124/98475db1/attachment-0001.htm>

More information about the gpfsug-discuss mailing list