Linux – Mount Synology NFSv4 export with id mapping

debianlinuxmountnfssynology

I have a Synology DiskStation (DSM 6.0.2) that exports shared directories via NFSv4. I specified a NFSv4 domain ITET-PHO.

On another Linux machine (Debian Wheezy), I want to mount this export using idmapping. There I have the following configuration of /etc/idmapd.conf:

[General]
Verbosity = 2
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
Domain = ITET-PHO

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static

[Static]
erikhe@ITET-PHO = erik

So I attempt to statically map the user erikhe on the Synology, which is in the domain ITET-PHO to the local user erik. All other users should be mapped to nobody. However, when I mount the shared directory, I just see the UID numbers from the Synology:

drwxr-xr-x 4 1566874442 1566573057 4096 Okt  5 10:21 erikhe-301898

Also all the other UIDs are shown instead of nobody. In the log-file I see that idmap is doing something. This is when doing service nfs-common restart:

Oct  5 15:11:07 sisyphous systemd[1]: Stopping LSB: NFS support files common to client and server...
Oct  5 15:11:07 sisyphous nfs-common[6520]: Stopping NFS common utilities: idmapd statd.
Oct  5 15:11:07 sisyphous systemd[1]: Stopped LSB: NFS support files common to client and server.
Oct  5 15:11:07 sisyphous systemd[1]: Starting LSB: NFS support files common to client and server...
Oct  5 15:11:07 sisyphous rpc.statd[6539]: Version 1.2.8 starting
Oct  5 15:11:07 sisyphous sm-notify[6540]: Version 1.2.8 starting
Oct  5 15:11:07 sisyphous sm-notify[6540]: Already notifying clients; Exiting!
Oct  5 15:11:07 sisyphous rpc.idmapd[6551]: libnfsidmap: using domain: ITET-PHO
Oct  5 15:11:07 sisyphous nfs-common[6530]: Starting NFS common utilities: statd idmapdrpc.idmapd: libnfsidmap: using domain: ITET-PHO
Oct  5 15:11:07 sisyphous nfs-common[6530]: rpc.idmapd: libnfsidmap: Realms list: 'ITET-PHO'
Oct  5 15:11:07 sisyphous nfs-common[6530]: rpc.idmapd: libnfsidmap: processing 'Method' list
Oct  5 15:11:07 sisyphous nfs-common[6530]: rpc.idmapd: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
Oct  5 15:11:07 sisyphous rpc.idmapd[6551]: libnfsidmap: Realms list: 'ITET-PHO'
Oct  5 15:11:07 sisyphous rpc.idmapd[6551]: libnfsidmap: processing 'Method' list
Oct  5 15:11:07 sisyphous rpc.idmapd[6551]: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
Oct  5 15:11:07 sisyphous rpc.idmapd[6552]: Expiration time is 600 seconds.
Oct  5 15:11:07 sisyphous rpc.idmapd[6552]: Opened /proc/net/rpc/nfs4.nametoid/channel
Oct  5 15:11:07 sisyphous nfs-common[6530]: .
Oct  5 15:11:07 sisyphous rpc.idmapd[6552]: Opened /proc/net/rpc/nfs4.idtoname/channel
Oct  5 15:11:07 sisyphous systemd[1]: Started LSB: NFS support files common to client and server.
Oct  5 15:11:07 sisyphous rpc.idmapd[6552]: New client: fa
Oct  5 15:11:07 sisyphous rpc.idmapd[6552]: New client: fb
Oct  5 15:11:07 sisyphous rpc.idmapd[6552]: Opened /run/rpc_pipefs/nfs/clntfb/idmap

And when I mount the export with mount.nfs4 cerberous:/volume1/homes /mnt/test I get:

Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: New client: fc
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: New client: fd
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: New client: fe
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: Stale client: fe
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: #011-> closed /run/rpc_pipefs/nfs/clntfe/idmap
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: Stale client: fd
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: #011-> closed /run/rpc_pipefs/nfs/clntfd/idmap
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: Stale client: fc
Oct  5 15:11:19 sisyphous rpc.idmapd[6552]: #011-> closed /run/rpc_pipefs/nfs/clntfc/idmap

How can I make the id mapping (at least static) work on Debian? ID mapping should work with Synology in general. Eventually I would like to automatically map the Synology users to LDAP users on the Linux machine.

Best Answer

Disclaimer: ID mapping without a Kerberos server only works halfway with NFSv4, it seems. I managed to get the correct usernames to show up on my client when listing files, but creating new files always creates them as user nobody because the Synology doesn't map anything in that case. This bug report and the linked thread suggest this is normal behaviour of idmapd when not using Kerberos for some reason. (EDIT: More detailed explanation.)

However, what I did:

First, you have to enable idmapping after loading the NFS service. For that, you have to edit the file /usr/syno/etc/rc.sysv/S83nfsd.sh on the Synology. Find the line

SYNOLoadModules $KERNELMODULE

and add the following line after that:

echo "N" > /sys/module/nfsd/parameters/nfs4_disable_idmapping

Then, still on the Synology, edit the /etc/idmap.conf and set the Domain to your ITET-PHO if not already set. Disable NFS, apply and re-enable (+apply) it afterwards in the Synology's control centre to reload nfds.

On your client machine, create a file /etc/modprobe.d/nfs-idmap.conf with the following contents:

options nfs nfs4_disable_idmapping=0
options nfsd nfs4_disable_idmapping=0

Reload the nfs kernel module afterwards to apply the options.

Also make sure, idmapd is running on your client. (On Ubuntu artful, I had to run sudo systemctl start nfs-idmapd manually, I think.) And, of course, use nfsvers=4 as a mount option.

(On the Synology, you can killall idmapd and run it in foreground using idmapd -f -vvv to see if it's doing anything.)

Related Question