[OpenIndiana-discuss] NFS4 users

Gabriele Bulfon gbulfon at sonicle.com
Wed Sep 28 09:08:09 UTC 2011


Problem identified!
Those users that have a uid on the client, and not any uid on the server, will pass as uid and
correctly mapped by the client.
Those users that have a same uid on client &server, but different meanings (e.g. 102 is user pf on
the server, and user vscan on the client), will be mapped into nobody.........
Problem is I can't go and change uids on servers or clients to have them in different zone numbers...
Is there anyway I can force the server or the client to send just uids or not map it into nobody in
this case?
Thanx.
----------------------------------------------------------------------------------
Da: Joshua M. Clulow
A: Discussion list for OpenIndiana
Data: 28 settembre 2011 1.57.46 CEST
Oggetto: Re: [OpenIndiana-discuss] NFS4 users
On 27 July 2011 03:51, David Brodbeck
wrote:
As far as I know this isn't possible with NFSv4.  The NFSv4 spec requires
sending names, not uid numbers, over the wire.  If the server and client
can't agree on the name, it won't work.  NFSv3 sends uid numbers over the
wire, so it doesn't have this requirement.
If you're using AUTH_SYS, I don't think this is quite right.  NFSv4
defines owner and groupowner as string fields usually of the form
"user at domain" for metadata operations like chown, certainly.  It also
defines potential fallback behaviour if the owner or groupowner string
contains the UTF8 string presentation of a number, which is just to
use the number.  Whether or not this fallback numeric behaviour can be
used depends on the ID mapper in both the server and the client.
When using AUTH_SYS the RPC authentication part of the protocol is as
it was in NFSv3 and earlier.  A uid number, primary gid number and an
array of sixteen secondary gid numbers is still sent and used to
determine the identity of the user performing, for example, an open()
or the writing of data.  In practice I think this means that with
NFSv4 + AUTH_SYS you actually need user name *and* uidnumber
synchronisation between server and client.
If you use Kerberos instead then the RPC authentication data is a
Kerberos principal rather than a uidnumber and the AUTH_SYS
constraints -- including a maximum of sixteen secondary group
memberships -- no longer apply.
NB: It's been at least 6 months since I read through the RFC (and a
bunch of code) while chasing down similar issues at a University.
--
Joshua M. Clulow
UNIX Admin/Developer
http://blog.sysmgr.org
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss


More information about the OpenIndiana-discuss mailing list