Mapping UIDs for NFS

I have a Mac OS X file server that serves via SMB/CIFS and AFP. The server is a domain client via the golden triangle approach, but this results in a very large UID for the users. This is fine for my current setup, but I'd like to get NFS working as well. Obviously I need to do some UID mapping, but I'm not sure how to go about doing this. Any advice?


Solution 1:

In most NFSv3 implementations, particularly kernel-level servers, this isn't possible apart from some limited mappings like root to nobody. In NFS v4 you have rpc.idmapd which performs the NFSv4 ID <-> UID mapping on the server and allows you to get more flexible.

If you can't use NFSv4, the recommended way to deal with it for NFSv3 is to have your users come from a directory service such as LDAP, or another common database. Typically all the system users for daemons etc. will come from /etc/passwd while all the human users come from an external source. This will ensure consistent UIDs across the board and eliminate the need for any kind of mapping.

Solution 2:

Well, after further research, I've found that nfs-user-server will allow you to do this sort of mapping. It's kind of a bummer, because the main reason I wanted to use NFS over CIFS was speed. nfs-user-server runs in userspace, so it's not as fast as nfs-kernel-server. Doesn't seem to be a optimal solution.

Solution 3:

I want to add that there's a major gotcha to NFSv4's UID mapping approach (see Kamil's comment): It doesn't work for AUTH_SYS / AUTH_UNIX authentication, which is what you have if the different computers aren't using LDAP or Kerberos or some other shared access control system.

Here's the rub: NFSv4 will use textual (that is, non-numeric) IDs when describing file ownership across the wire, which is what you think you want, but the RPC layer still uses numeric UID and GID values. Simple AUTH_SYS authentication punts back to RPC, and then you're stuck again. Here's an example of what this looks like (tshark capture of client->server packet, captured on the server side):

Frame 26 (306 bytes on wire, 306 bytes captured)
...
Remote Procedure Call, Type:Call XID:0x2790a46d
...
    Credentials
        Flavor: AUTH_UNIX (1)
        Length: 48
        Stamp: 0x00419c55
        Machine Name: localhost.localdomain
            length: 21
            contents: localhost.localdomain
            fill bytes: opaque data
        UID: 500
        GID: 500
        Auxiliary GIDs
        GID: 500
    Verifier
        Flavor: AUTH_NULL (0)
        Length: 0
Network File System
...