diff --git a/lustre/mds/handler.c b/lustre/mds/handler.c
index 62a909ee34960e1cbf4a8ba4244ab3e30a6ff66a..39e86cee53a149c76d2a8676eac2ab31cd0fb3e8 100644
--- a/lustre/mds/handler.c
+++ b/lustre/mds/handler.c
@@ -1130,6 +1130,7 @@ int mds_pack_posix_acl(struct lustre_msg *repmsg, int offset,
 int mds_pack_remote_perm(struct ptlrpc_request *req, int reply_off,
                          struct mds_body *body, struct inode *inode)
 {
+        struct mds_export_data *med = &req->rq_export->u.eu_mds_data;
         struct lustre_sec_desc *lsd;
         struct mds_remote_perm *perm;
         __u32 lsd_perms;
@@ -1167,6 +1168,9 @@ int mds_pack_remote_perm(struct ptlrpc_request *req, int reply_off,
 
         mds_put_lsd(lsd);
 
+        if (mds_remote_perm_do_reverse_map(med, perm))
+                RETURN(-EPERM);
+
         /* permission bits of current user
          * XXX this is low efficient, could we do it in one blow?
          */
diff --git a/lustre/mds/mds_internal.h b/lustre/mds/mds_internal.h
index 488ca7cdae5da5a2a663bb2410e1b6ffbb7d72a9..8970f519c400a06e0681fae89226186565057998 100644
--- a/lustre/mds/mds_internal.h
+++ b/lustre/mds/mds_internal.h
@@ -132,6 +132,8 @@ struct mds_idmap_table *mds_idmap_alloc(void);
 void mds_idmap_free(struct mds_idmap_table *tbl);
 void mds_body_do_reverse_map(struct mds_export_data *med,
                              struct mds_body *body);
+int mds_remote_perm_do_reverse_map(struct mds_export_data *med,
+                                   struct mds_remote_perm *perm);
 int mds_init_ucred(struct lvfs_ucred *ucred, struct ptlrpc_request *req,
                    struct mds_req_sec_desc *rsd);
 void mds_exit_ucred(struct lvfs_ucred *ucred);
diff --git a/lustre/mds/mds_lib.c b/lustre/mds/mds_lib.c
index ffb4b8dc4992007aa3d986c9f719d13ea58cf693..c0f232365579738f0e3e88d2ca72a41513783283 100644
--- a/lustre/mds/mds_lib.c
+++ b/lustre/mds/mds_lib.c
@@ -1054,6 +1054,34 @@ void mds_body_do_reverse_map(struct mds_export_data *med,
         EXIT;
 }
 
+/*
+ * return error if can't find mapping, it's a error so should not
+ * fall into nllu/nllg.
+ */
+int mds_remote_perm_do_reverse_map(struct mds_export_data *med,
+                                   struct mds_remote_perm *perm)
+{
+        uid_t uid;
+        gid_t gid;
+
+        LASSERT(med->med_remote);
+
+        uid = mds_idmap_lookup_uid(med->med_idmap, 1, perm->mrp_auth_uid);
+        if (uid == MDS_IDMAP_NOTFOUND) {
+                CERROR("no map for uid %u\n", perm->mrp_auth_uid);
+                return -EPERM;
+        }
+        gid = mds_idmap_lookup_gid(med->med_idmap, 1, perm->mrp_auth_gid);
+        if (gid == MDS_IDMAP_NOTFOUND) {
+                CERROR("no map for uid %u\n", perm->mrp_auth_uid);
+                return -EPERM;
+        }
+
+        perm->mrp_auth_uid = uid;
+        perm->mrp_auth_gid = gid;
+        return 0;
+}
+
 /**********************
  * MDS ucred handling *
  **********************/