[OpenIndiana-discuss] NFS4 users
Joshua M. Clulow
josh at sysmgr.org
Tue Sep 27 23:57:46 UTC 2011
On 27 July 2011 03:51, David Brodbeck <brodbd at uw.edu> wrote:
> As far as I know this isn't possible with NFSv4. The NFSv4 spec requires
> sending names, not uid numbers, over the wire. If the server and client
> can't agree on the name, it won't work. NFSv3 sends uid numbers over the
> wire, so it doesn't have this requirement.
If you're using AUTH_SYS, I don't think this is quite right. NFSv4
defines owner and groupowner as string fields usually of the form
"user at domain" for metadata operations like chown, certainly. It also
defines potential fallback behaviour if the owner or groupowner string
contains the UTF8 string presentation of a number, which is just to
use the number. Whether or not this fallback numeric behaviour can be
used depends on the ID mapper in both the server and the client.
When using AUTH_SYS the RPC authentication part of the protocol is as
it was in NFSv3 and earlier. A uid number, primary gid number and an
array of sixteen secondary gid numbers is still sent and used to
determine the identity of the user performing, for example, an open()
or the writing of data. In practice I think this means that with
NFSv4 + AUTH_SYS you actually need user name *and* uidnumber
synchronisation between server and client.
If you use Kerberos instead then the RPC authentication data is a
Kerberos principal rather than a uidnumber and the AUTH_SYS
constraints -- including a maximum of sixteen secondary group
memberships -- no longer apply.
NB: It's been at least 6 months since I read through the RFC (and a
bunch of code) while chasing down similar issues at a University.
Joshua M. Clulow
More information about the OpenIndiana-discuss