[lustre-discuss] [EXTERNAL] getting "permission dendied" on mount when trying to use nodemaps for root squashing

Wed Feb 11 08:02:02 PST 2026

Kurt,

It sounds look you are using nodemaps primarily to squash root access.  Prior to nodemaps, there were a couple of parameters that were used to control this (root_squash and nosquash_nids).  I don't see them mentioned in the latest lustre manual, so I assume they are deprecated in favor of nodemap.  But the parameters still exist in the code afaik.  I've not tried them recently to see if they still work, but if they do, I suppose you could try using them to see if you get the desired effect.  It might be a long shot, but perhaps getting those parameters working (or not working) might shed some light on what might be wrong with your nodemap.

--Rick

On 2/9/26, 10:11 AM, "lustre-discuss on behalf of Kurt Strosahl via lustre-discuss" <lustre-discuss-bounces at lists.lustre.org <mailto:lustre-discuss-bounces at lists.lustre.org> on behalf of lustre-discuss at lists.lustre.org <mailto:lustre-discuss at lists.lustre.org>> wrote:

Good Morning,

I'm trying to set up nodemaps on a new lustre file system. Presently when I turn on the nodemaps I get permission denied for servers in the default nodemap.

I've defined two custom nodemaps. An AdminSystems nodemap (for servers that will need to perform actions as root, and a LustreServers nodemap (for the lustre servers themselves)

Every other client will be in the default map. (whose gid/uid/projid mappings we trust)

I set the following:
[root at scmds2501 ~]# lctl get_param nodemap.*.admin_nodemap
nodemap.AdminSystems.admin_nodemap=1
nodemap.LustreServers.admin_nodemap=1
Nodemap.default.admin_nodemap=0

[root at scmds2501 ~]# lctl get_param nodemap.*.trusted_nodemap
nodemap.AdminSystems.trusted_nodemap=1
nodemap.LustreServers.trusted_nodemap=1
Nodemap.default.trusted_nodemap=1

When I turn on the nodemap feature I get a permission denied when mounting on a client node that isn't in the Admin nodemap.

Interestingly, on a test client that was mounted before I turned on the nodemap I can write files as myself (into a directory that I established beforehand owned by me).

Our desired end state is an Admin nodemap we can add and remove systems to as needed that can take action as root, and all other lustre clients being able to access the file system, but having no root access. The LustreServers nodemap is there to keep the lustre file servers themselves safe from any unexpected changes.

w/r,
Kurt J. Strosahl (he/him)
System Administrator: Lustre, HPC
Scientific Computing Group, Thomas Jefferson National Accelerator Facility