Mapping UIDs for NFS

mount nfs setuid

I have a Mac OS X file server that serves via SMB/CIFS and AFP. The server is a domain client via the golden triangle approach, but this results in a very large UID for the users. This is fine for my current setup, but I'd like to get NFS working as well. Obviously I need to do some UID mapping, but I'm not sure how to go about doing this. Any advice?


Solution 1:

In most NFSv3 implementations, particularly kernel-level servers, this isn't possible apart from some limited mappings like root to nobody. In NFS v4 you have rpc.idmapd which performs the NFSv4 ID <-> UID mapping on the server and allows you to get more flexible.

If you can't use NFSv4, the recommended way to deal with it for NFSv3 is to have your users come from a directory service such as LDAP, or another common database. Typically all the system users for daemons etc. will come from /etc/passwd while all the human users come from an external source. This will ensure consistent UIDs across the board and eliminate the need for any kind of mapping.

Solution 2:

Well, after further research, I've found that nfs-user-server will allow you to do this sort of mapping. It's kind of a bummer, because the main reason I wanted to use NFS over CIFS was speed. nfs-user-server runs in userspace, so it's not as fast as nfs-kernel-server. Doesn't seem to be a optimal solution.

Solution 3:

I want to add that there's a major gotcha to NFSv4's UID mapping approach (see Kamil's comment): It doesn't work for AUTH_SYS / AUTH_UNIX authentication, which is what you have if the different computers aren't using LDAP or Kerberos or some other shared access control system.

Here's the rub: NFSv4 will use textual (that is, non-numeric) IDs when describing file ownership across the wire, which is what you think you want, but the RPC layer still uses numeric UID and GID values. Simple AUTH_SYS authentication punts back to RPC, and then you're stuck again. Here's an example of what this looks like (tshark capture of client->server packet, captured on the server side):

Frame 26 (306 bytes on wire, 306 bytes captured)
...
Remote Procedure Call, Type:Call XID:0x2790a46d
...
    Credentials
        Flavor: AUTH_UNIX (1)
        Length: 48
        Stamp: 0x00419c55
        Machine Name: localhost.localdomain
            length: 21
            contents: localhost.localdomain
            fill bytes: opaque data
        UID: 500
        GID: 500
        Auxiliary GIDs
        GID: 500
    Verifier
        Flavor: AUTH_NULL (0)
        Length: 0
Network File System
...

Related

Hyper-V VM doesn't boot off SCSI hard drive
How can i run shell script at boot (start up)
/3GB switch on win2k3 server with 6gb RAM and PAE
How do I reserve bandwidth for rsync?
SSHD real-ip behind haproxy
How to configure routing between Azure virtual networks?
Simple EXPECT script to execute remote command and displat output
Batch file to MASS ping group of computers on network by name, check reply, and resolve hostname
linux router setup
"He has yet to" vs. "he is yet to"
Are there other idioms like "a stone's throw away" that both describe an activity and act as a measurement?
"have been working" vs. "have worked"