Openldap and nfserver, both work although /home/user cannot be created unless I log into the nfserver first with new ldapusers

Codejoy

10/9/22, 6:35 PM

I have an openldap server I set up on cent os 7. I blended it to work with all my other VMs that mount a nfs mount from a nfs server for their /home.

I just figured out that if I create a new ldap user, and try to log into some VM it lets me login but states how it cannot create /home/user and is unable to chngdir to it.

But I also learned if I first ssh user@mynfsserver It logs in, creates the appropriate /home/user and then after that I can ssh to any other VM with my ldapuser and it works just fine no longer complains about being able to not create the folder in home for said user.

I use autofs on each VM with a home.map file, it looks to have the right permissions:

* -fstype=nfs,rw,nosuid,soft 10.10.1.139:/home/&

so this feels like some sort of permission issue with users getting errors logging into a VM with their newly created ldap credentials. But if that same user logs into the 10.10.1.139 (nfs server where home is mapped from), then it seems to let them log into the VMs with no unable to create /home/user errors anymore.

Does my openldap server have to be made aware of the nfs server somehow?

Aside from the hiccup of having to log into the nfs server first, I can goto another VM touch a file in that home folder and bingo it is on any other VM I log into. So it is like 95% working, just annoying to have to first log into nfserver with ldap user to make the /home/user creation work on other VMs first.

123

1 + 2

openldap

nfs

home-directory

centos7

Sethos II

10/10/22, 5:14 AM

Can you post the line for your home from `/etc/exports` on the nfs server? I think you might need to add the option `no_root_squash` there, because the create command for the home directory is run by root and without the option it gets mapped to the anonymous user and therefore it doesn't have permissions to do so. See the manpage for exports on User ID Mapping for details.

Codejoy

10/10/22, 7:26 PM

/home 10.10.1.0/24(rw)

Score:1

Server

Sethos II

10/11/22, 4:52 AM

The automatic creation of new home directories is done by root, but by default root is mapped to the anonymous user on nfs mounts and therefore the home directory can't be created on all nfs clients. Add no_root_squash to your line in /etc/exports on your nfs server to disable this and run sudo exportfs -ra for the changes to take effect. So based on your comment it should look like this:

/home 10.10.1.0/24(rw,no_root_squash)

This will allow root access to the mounted nfs filesystem on all clients.

However this has some implications. From the exportfs manpage:

User ID Mapping

nfsd bases its access control to files on the server machine on the uid and gid provided in each NFS RPC request. The normal behavior a user would expect is that she can access her files on the server just as she would on a normal file system. This requires that the same uids and gids are used on the client and the server machine. This is not always true, nor is it always desirable.

Very often, it is not desirable that the root user on a client machine is also treated as root when accessing files on the NFS server. To this end, uid 0 is normally mapped to a different id: the so-called anonymous or nobody uid. This mode of operation (called `root squashing') is the default, and can be turned off with no_root_squash.

By default, exportfs chooses a uid and gid of 65534 for squashed access. These values can also be overridden by the anonuid and anongid options. Finally, you can map all user requests to the anonymous uid by specifying the all_squash option.

0 + 2

Codejoy

10/11/22, 5:51 AM

So can I add that line to my exports file and then do I run exportfs? and it will work or do I have to reboot the nfs server?

Sethos II

10/11/22, 6:18 AM

@Codejoy: Yes, you need to run `exportfs` (I also updated this in the answer) and the changes take effect immediately, there is no need for a reboot.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Openldap and nfserver, both work although /home/user cannot be created unless I log into the nfserver first with new ldapusers

TH: Openldap and nfserver, both work although /home/user cannot be created unless I log into the nfserver first with new ldapusers

RO: Openldap and nfserver, both work although /home/user cannot be created unless I log into the nfserver first with new ldapusers

RU: Openldap and nfserver, both work although /home/user cannot be created unless I log into the nfserver first with new ldapusers

VI: Openldap and nfserver, both work although /home/user cannot be created unless I log into the nfserver first with new ldapusers

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.