2

I simply want to "map by userNAME" between NFS4 client and NFS4 server, when each has different uid for a given user name, w/o having to setup Kerberos.

The situation: my Linux machine (centos 7) accesses various NFS4 servers (running centos 7)

  • no Kerberos or NIS or AD available
  • servers each have various dns domains (all different from my linux box' DNS domain)
  • servers and my linux client have unsynchronized UIDs (each username "oracle" has different local uid)
  • echo N > /sys/module/nfsd/parameters/nfs4_disable_idmapping done on server and client
  • name mapping daemon rpcidmapd started on both client and server
  • client side /etc/idmapd.conf has static mapping for users
  • mounting as nfs4 (sec=sys, as there is no centrallized Kerberos/etc) works
  • ls -l shows "correct" usernames and groupnames
  • but permissions are ignored, I have to set world rwx to access/traverse/write files, WHY??

Background questions:

  • which side (client or server) should do the name to id mapping?

  • is my idmapd.conf on my client correct (example remote NFS4 server DNS domain is eh.loc) :

     [General]
 Verbosity = 7
 [Mapping]
 [Translation]
 Method = static
 [Static]
 oracle@eh.loc = oracle
 oinstall@eh.loc = oinstall
 dba@eh.loc = dba
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Dipr
  • 23
  • 3

1 Answers1

0

There is a big confusion with the nfs id mapping. The mapping used when a string form principal, like test@example.com, have to be converted into a numeric id and vise versa. This is done when you do ls -l, for example.

However, when you mount with sec=sys, which you obviously do, then all request are authenticated with client's local UID and GIDs. IOW, on touch UID of the client process will be the file owner on the server. Actually, to solve very this problem idmapd+Kerberos combination is great.

Ok, not in every environment one can run Kerberos. You can enforce single uid by mapping all requsts from those hosts to a single uid/gid.

/data 10.0.1.1(rw,all_squash,anonuid=123,anongid=456)
kofemann
  • 4,308
  • 1
  • 21
  • 27
  • This horrible and frankly rather stupid. Why did the NFS4 guys repair the display portion (ls -l ) but not use the mechanism to convert IDs ? I cloud understand if idmapd on the client would be used for display (ls -l ) and idmapd on the server would fix IDs on hte server, albeit it appears that someone forgot about the server. Kerberos is fine within a big company, but for a consultant with VPN to various customers Kerberos is no option. but THANK YOU for that brilliant suggestion of the ugly hack of forcing the UID on a per resource level!! That is what I actually need. – Dipr Mar 18 '21 at 09:17
  • Well, the original intent was that NFS4 always will be used in a combination with kerberos or similar identity management system. The AUTH_SYS is there as a temporary solution. But as we know, *nothing is so permanent as a temporary solutions*. – kofemann Mar 18 '21 at 10:40
  • Is there a "hack" telling a NFS4 server to strip any domain part from the client's request and for permissions checking pick the local UID that matches the received username? – Dipr Mar 18 '21 at 16:28