[lustre-discuss] getting "permission dendied" on mount when trying to use nodemaps for root squashing
Hans Henrik Happe
happe at nbi.dk
Fri Feb 13 05:29:54 PST 2026
Hi,
Have you looked at the squash id's. I think they defaults to 99, but
RHEL uses another id for the nobody user.
A full list of parameters would make it easier to give input. If you
could post this:
lctl get_param nodemap.default.*
Cheers,
Hans Henrik
On 09/02/2026 16.05, Kurt Strosahl via lustre-discuss wrote:
> Good Morning,
>
> I'm trying to set up nodemaps on a new lustre file system.
> Presently when I turn on the nodemaps I get permission denied for
> servers in the default nodemap.
>
> I've defined two custom nodemaps. An AdminSystems nodemap (for
> servers that will need to perform actions as root, and a LustreServers
> nodemap (for the lustre servers themselves)
>
> Every other client will be in the default map. (whose gid/uid/projid
> mappings we trust)
>
> I set the following:
> [root at scmds2501 ~]# lctl get_param nodemap.*.admin_nodemap
> nodemap.AdminSystems.admin_nodemap=1
> nodemap.LustreServers.admin_nodemap=1
> Nodemap.default.admin_nodemap=0
>
> [root at scmds2501 ~]# lctl get_param nodemap.*.trusted_nodemap
> nodemap.AdminSystems.trusted_nodemap=1
> nodemap.LustreServers.trusted_nodemap=1
> Nodemap.default.trusted_nodemap=1
>
> When I turn on the nodemap feature I get a permission denied when
> mounting on a client node that isn't in the Admin nodemap.
>
> Interestingly, on a test client that was mounted before I turned on
> the nodemap I can write files as myself (into a directory that I
> established beforehand owned by me).
>
> Our desired end state is an Admin nodemap we can add and remove
> systems to as needed that can take action as root, and all other
> lustre clients being able to access the file system, but having no
> root access. The LustreServers nodemap is there to keep the lustre
> file servers themselves safe from any unexpected changes.
>
> w/r,
>
> Kurt J. Strosahl (he/him)
> System Administrator: Lustre, HPC
> Scientific Computing Group, Thomas Jefferson National Accelerator Facility
>
>
> _______________________________________________
> lustre-discuss mailing list
> lustre-discuss at lists.lustre.org
> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20260213/6c4ae96c/attachment.htm>
More information about the lustre-discuss
mailing list