Trying to set up nfs server with netgroups in LDAP
Hi,
I am trying to set up the following configuration on Ubuntu 10.04.2.
My nfs server has the following share in /etc/exports:
Code:
/export/mail @mail(rw,secure,no_root_squash,sync,no_subtree_check)
nfsserver$ grep netgroup /etc/nsswitch.conf
netgroup: files ldap
nfsserver$ grep netgroup /etc/ldap.conf
nss_base_netgroup ou=Netgroup,dc=xxx,dc=xxx
nfsserver$ getent netgroup mail
mail (backup01, , xxx.xxx)
Now when I try to mount this from client host I am getting:
Code:
mount.nfs: access denied by server while mounting nfsserver:/export/mail
At the same time nfs server reports the following error message:
Code:
mountd[14460]: refused mount request from backup01.xxx.xxx for /export/mail (/): not exported
I am only able to mount this when I put local netgroup definitions, getent netgroup mail > /etc/netgroup solves this problem however I would rather like to store my netgroups in LDAP.
Does anyone have any ideas? Seems that netgroups in LDAP are not working here. Is there anything I missed?
Re: Trying to set up nfs server with netgroups in LDAP
Can you post the netgroup entry as defined in LDAP ?
Also, once you define netgroup in LDAP, does your 'getent netgroup <netgroup-name>' name works ?
Re: Trying to set up nfs server with netgroups in LDAP
Hi,
I am not sure what you mean but information you requested has already been provided in my previous post, I just replaced my domain name with 'x'es.
Once groups are in LDAP, getent netgroup shows correct values (output in my previous post).
Re: Trying to set up nfs server with netgroups in LDAP
Quote:
Originally Posted by
pjewiec
Hi,
I am not sure what you mean but information you requested has already been provided in my previous post, I just replaced my domain name with 'x'es.-
I am asking for the ldif entry for the netgroup defined in LDAP.
The post only contains the NFS export entry
Quote:
Once groups are in LDAP, getent netgroup shows correct values (output in my previous post).
This information contradicts with what you posted earlier
Quote:
I am only able to mount this when I put local netgroup definitions, ... I would rather like to store my netgroups in LDAP. Does anyone have any ideas? Seems that netgroups in LDAP are not working here
Re: Trying to set up nfs server with netgroups in LDAP
I can confirm this:
nsswitch setup is fine, getent netgroup returns the desired entries in the format
mynetgroup (myhost.f.q.d.n, , )
A sample ldif entry looks like this:
Code:
# LDIF Export for cn=mynetgroup,ou=netgroup,dc=x,dc=y,dc=z
# Server: MY LDAP (ldap.x.y.z) # Suchbereich: base # Suchfilter: (objectClass=*)
# Anzahl der Eintraege: 1
# # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on October 26, 2012 3:49 pm
# Version: 1.2.0.4 version: 1
# Eintrag 1: cn=mynetgroup,ou=netgroup,dc=x,dc=y,dc=z dn: cn=mynetgroup,ou=netgroup,dc=x,dc=y,dc=z cn: mynetgroup nisnetgrouptriple: (myhost.f.q.d.n,,) objectclass: nisNetgroup objectclass: top
Yet I get one of the following error messages when trying to mount the exported volume:
refused mount request from myhost.f.q.d.n for /some/share (/): no export entry
or
refused mount request from 1.2.3.4 for /some/share (/some/share): unmatched host
The log message "no export entry" seems to appear in conjunction with the myhost.f.q.d.n, while the "unmatched host" seems to appear with raw IP addresses.
The same LDAP/netgroup settings have been working fine for NFS servers under Gentoo Linux.
Re: Trying to set up nfs server with netgroups in LDAP
Quote:
Originally Posted by
glauche
refused mount request from myhost.f.q.d.n for /some/share (/): no export entry
or
refused mount request from 1.2.3.4 for /some/share (/some/share): unmatched host
Please check if NFS server can lookup(nslookup) 'myhost.f.q.d.n' in both the forward and backward direction, I mean hostname to IP and IP to hostname. This is a primary requirement for netgroups to work
Re: Trying to set up nfs server with netgroups in LDAP
Yes, DNS lookups are ok in both ways. However, there is another evidence that netgroups are not supposed to work with nfs in ubuntu:
https://help.ubuntu.com/community/SettingUpNFSHowTo#NIS
states that netgroup support is only available together with NIS.
When I run on the server to list the exported shares, I get the netgroup shares listed correctly. However,
Code:
showmount -e server
from a client does not list the netgroup shares on the same server.
Re: Trying to set up nfs server with netgroups in LDAP
Nope !! That's not the case, it works just fine
This is what showmount displays from my client
Code:
showmount -e 192.168.56.1
Export list for 192.168.56.1:
/tmp/nfs *
/tmp/nfs2 @mynetgrp
getent on NFS server shows and forward/backward lookup works
Code:
# NFS export entry looks like
/tmp/nfs2 @mynetgrp(rw,no_root_squash)
# getnet netgroup returns
getent netgroup mynetgrp
mynetgrp (luvshines-server.clone.com,,)
~$ nslookup 192.168.56.101
Server: 192.168.56.111
Address: 192.168.56.111#53
101.56.168.192.in-addr.arpa name = luvshines-server.clone.com.
~$ nslookup luvshines-server
Server: 9.122.122.27
Address: 9.122.122.27#53
Name: luvshines-server.clone.com
Address: 192.168.56.101
mount from client works fine and NFS server shows
Code:
luvshines rpc.mountd[3144]: authenticated mount request from luvshines-server.clone.com:902 for /tmp/nfs2 (/tmp/nfs2)
Things to be taken care:
1. I switched off firewall on NFS server so that showmount worked
2. Had to restart nfs service after nsswitch.conf changes so that NFS service acknowleges the change. This is expected, read the man page of nsswitch
Re: Trying to set up nfs server with netgroups in LDAP
Quote:
Originally Posted by
luvshines
2. Had to restart nfs service after nsswitch.conf changes so that NFS service acknowleges the change. This is expected, read the man page of nsswitch
This was the step I was missing...
Thanks for reminding me!
Volkmar
Re: Trying to set up nfs server with netgroups in LDAP
I can also confirm that this was the case. Thank you everyone.