What exactly does nfs4_disable_idmapping parameter do?

Question

I've been experimenting with user/group ID mapping (translation) in NFSv4. What I want to achieve is name based ID translation, that is independent of the actual UID/GID on the server and clients.

Many guides and articles mention that to have ID mapping working you have to set nfs4_disable_idmapping parameter to 0 (aka N) in the nfs module on client, and nfsd module on the server. However, I didn't find any information or documentation about what exactly this parameter does.

As an experiment, I configured NFSv4 server and client (with sec=krb5) and I deliberately left these parameters at their default value (mapping disabled). I can verify that the mapping is disabled on server:

$ cat /sys/module/nfsd/parameters/nfs4_disable_idmapping 
Y

and on the client:

$ cat /sys/module/nfs/parameters/nfs4_disable_idmapping 
Y

I created users bob(uid=1002) and sam(uid=1001) on the server, and users bob(uid=1003) and sam(uid=1004) on the client. As you can see, the UIDs do not match, however, the users are still mapped correctly. File created by the bob user on the is seen as owned by bob on the server, and vice versa.

Moreover, if I look at the logs on the client:

nfsidmap[1874]: key: 0x322c739a type: uid value: bob@home.lan timeout 600                                            
nfsidmap[1874]: nfs4_name_to_uid: calling nsswitch->name_to_uid                                                      
nfsidmap[1874]: nss_getpwnam: name 'bob@home.lan' domain 'home.lan': resulting localname 'bob'                       
nfsidmap[1874]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0                                                   
nfsidmap[1874]: nfs4_name_to_uid: final return value is 0       

and on the server:

rpc.idmapd[1717]: nfsdcb: authbuf=gss/krb5p authtype=user                                                                                                                   
rpc.idmapd[1717]: nfs4_uid_to_name: calling nsswitch->uid_to_name                                                                                                           
rpc.idmapd[1717]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0                                                                                                        
rpc.idmapd[1717]: nfs4_uid_to_name: final return value is 0                                                                                                                 
rpc.idmapd[1717]: Server : (user) id "1002" -> name "bob@home.lan"  

they both suggest that ID mapping is indeed working "by name" rather then "by id".

So my question is: what is nfs4_disable_idmapping parameter for then, if it seems not to have any observable effect on the ID mapping?

Answer 1

You hit a bad test case. According to kernel documentation nfs4_disable_idmapping option makes sense only when sec=sys is used.