nfs4 idmapd fails to operate without additional configuration (clone of #34638 for nfs4)

[jeschmidt]

Issue Description
My nfs4 mount (nixos as the client) stopped mapping users properly, looking like idmapd was not running. I spent a lot of time in Google looking for the problem unsuccessfully, until I found this: #34638
I noticed that not only did my system not have /etc/request-key.conf and /sbin/request-conf, it also didn't have request-conf installed either (required keyutils package). These things seem to be necessary for idmapd to function, which is a core required function of nfs4.

Steps to reproduce the behavior:

1. mount an nfs4 filesystem
2. observe that all uid/gid show up as 4294967295 (ls -l)

Expected behavior
uid/gid mapping should work properly, according to your domain.

My (working) Workaround (for now)
Copied and adapted from #34638 (comment) (credit to @Shados)

  system.activationScripts.symlink-requestkey = ''
    if [ ! -d /sbin ]; then
      mkdir /sbin
    fi
    ln -sfn /run/current-system/sw/bin/request-key /sbin/request-key
  '';
  # request-key expects a configuration file under /etc
  environment.etc."request-key.conf" = {
    text = let
      nfsidmap = "${pkgs.nfs-utils}/bin/nfsidmap";
      keyctl = "${pkgs.keyutils}/bin/keyctl";
    in ''
      #OP     TYPE          DESCRIPTION  CALLOUT_INFO  PROGRAM
      # -t is required for DFS share servers...
      create  id_resolver   *            *             ${nfsidmap} -t 600 %k %d
      # Everything below this point is essentially the default configuration,
      # modified minimally to work under NixOS. Notably, it provides debug
      # logging.
      create  user          debug:*      negate        ${keyctl} negate %k 30 %S
      create  user          debug:*      rejected      ${keyctl} reject %k 30 %c %S
      create  user          debug:*      expired       ${keyctl} reject %k 30 %c %S
      create  user          debug:*      revoked       ${keyctl} reject %k 30 %c %S
      create  user          debug:loop:* *             |${pkgs.coreutils}/bin/cat
      create  user          debug:*      *             ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
      negate  *             *            *             ${keyctl} negate %k 30 %S
    '';
  };

  environment.systemPackages = with pkgs; [
    keyutils
  ];

Metadata

[root@nixos-1:~]# nix run nixpkgs.nix-info -c nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 4.19.69, NixOS, 19.09pre191505.7d5375ebf4c (Loris)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.2.2`
 - channels(root): `"nixos-19.09pre191505.7d5375ebf4c"`
 - channels(jschmidt): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[kwohlfahrt]

I think this can be closed now that #73989 is merged.

[jeschmidt]

I'm happy to remove my workaround and re-test nfs4 idmapping but as a NixOS novice I'm not sure how to make sure I can update my system to the release that includes the patches for #73989. I'll give it a try and see how far I get. Thanks so much for working on this issue!

[jordanbray]

I just ran into this same issue on 19.09, and can confirm the workaround above fixed the issue.

[kwohlfahrt]

@jeschmidt - this should now be in stable (release 20.03), would you mind testing again once you've made the upgrade?

[stale]

I marked this as stale due to inactivity. → More info