Hello ! I need some help with NFSv4 referrals. Here my setup : I have a NFSv4 server "myserverA" thats export some directory tree that contain a referral like this : /srv/nfs4 172.16.0.0/16(fsid=0,crossmnt,sec=krb5,rw,async,no_subtree_check) /srv/nfs4/share/mydirA 172.16.0.0/16(sec=krb5,rw,async,no_subtree_check) /srv/nfs4/share/mydirB 172.16.0.0/16(sec=krb5,rw,async,no_subtree_check,refer=/share/mydirB@myserverB) The /srv/nfs4/share/mydirA directory is bind mounted to some place on the same server. The /srv/nfs4/share/mydirB is bind mounted to itself as it refers to server "myserverB". The server "myserverB" exports are similar : /srv/nfs4 172.16.0.0/16(fsid=0,crossmnt,sec=krb5,rw,async,no_subtree_check) /srv/nfs4/share/mydirA 172.16.0.0/16(sec=krb5,rw,async,no_subtree_check,refer=/share/mydirA@myserverA) /srv/nfs4/share/mydirB 172.16.0.0/16(sec=krb5,rw,async,no_subtree_check) If I don't use NFS referrals, everythings works fine on my setup. But if I mount from a client the tree exported by myserverA, I get wrong permissions. For example : ~# mount -t nfs4 myserverA:/ /mountdir ~# ls -al /mountdir drwxrwxr-x root myldapgroup mydirA dr-xr-xr-x 4294967294 4294967294 mydirB Normally mydirA and mydirB have exactly the same permissions. Now if I list the mydirB content from the client, it automatically mounts the "myserverB" tree and the permission becomes OK. ~# ls /mountdir/mydirB ... some files/dirs ~# ls -al /mountdir drwxrwxr-x root myldapgroup mydirA drwxrwxr-x root myldapgroup mydirB So this is not an ID mapping problem. You may say "Ok where is the problem ?". The problem is that some applications check if they can write to a directory before listing its content and don't check the rights again after. So here for example, the members of "myldapgroup" can't write to "mydirB" with some applications. They need to try to write two times : -> The first time, the rights are badly read and the referral is mounted by the kernel, but the application doesn't want to write as it thinks that there is no write access. -> The second time, the rights are correctly read because the referral is mounted, so the application accepts to write inside the "mydirB" folder. It seems normal to me that the client doesn't mount the mydirB referral only to list the parent directly content. Otherwize if the directory contains many referrals, all the servers need to be contacted just to list the directory content. It seems also normal to me that the "myserverA" server doesn't contact continuously all the servers for each referrals it exports to check the permissions of the directories exported. But it may be a way to set the right permission manually on the server that exports the referral. I have tested. On the "myserverA" server, changing the rights of the /srv/nfs4/share/mydirB directory (the one bind mounted to itself) changes nothing on the client side (so change nothing on the way the parent directory is exported by the server). Is there a way to setup the "myserverA" server so that it gives the wanted permission on referrals when a client lists the parent directory ? Thanks ! Baptiste.
