This article explains why owner and group may be seen as “nobody” from an NFS Client accessing share using NFSV4 protocol on IBM Spectrum Scale™ and how we can fix it.
Pre-Checks for NFSV4 Access
1. NFSV4 access checks for username when a client tries to access than UID like NFSV3 access. Hence, the user on the Client must be the same as that configured with IBM Spectrum Scale™.
What I mean by this is:
If IBM Spectrum Scale™ is configured with AD + RFC2307 and domain name on AD is SpecScale, then, on the client too, the user should be part of domain SpecScale. So, this way its the same user who is trying to access export. The UIDs and Primary group’s GID etc. in this case will all be same.
Now, if the client is not part of the domain, and you create manually a user with same UID as that of user on AD server, and also have its primary group’s GID match to that on the AD server, still though access may be successful (if FULL ACCESS is enabled for EVERYONE), the owner and its group will not be resolved and will be seen as “Nobody”.
2. For NFSV4 protocol, the NFS DOMAIN as mentioned in /etc/idmapd.conf should have same value as that set on the server on IBM Spectrum Scale™. If these two values are different, then the owners and groups are seen as “nobody” as the users and groups are not resolved correctly.
Firstly, make sure client is made part of the AD Domain.
Secondly, to change NFS domain on client side,
1. Edit the file /etc/idmapd.conf
2. Set DOMAIN to a which is same as that set on IBM Spectrum Scale™.
3. Restart idmapd service with:
# service nfs-idmap restart
If you have to make the change on the IBM Spectrum Scale™ too, then update the value using command:
# mmnfs config change “IDMAPD_DOMAIN=domain_name”
Verify issue is fixed
Now you are all set to access the NFS share.
1. Mount the share on NFS Client.
2. Login into a client with user credentials.
3. Access the share.
4. Add or edit data.
Accessing data should now be successful. Also, when creating the data, owner and group is seen as the username or groupname and not as “nobody”.