I simply want to "map by userNAME" between NFS4 client and NFS4 server, when each has different uid for a given user name, w/o having to setup Kerberos.
The situation: my Linux machine (centos 7) accesses various NFS4 servers (running centos 7)
- no Kerberos or NIS or AD available
- servers each have various dns domains (all different from my linux box' DNS domain)
- servers and my linux client have unsynchronized UIDs (each username "oracle" has different local uid)
echo N > /sys/module/nfsd/parameters/nfs4_disable_idmappingdone on server and client- name mapping daemon rpcidmapd started on both client and server
- client side /etc/idmapd.conf has static mapping for users
- mounting as nfs4 (sec=sys, as there is no centrallized Kerberos/etc) works
ls -lshows "correct" usernames and groupnames- but permissions are ignored, I have to set world rwx to access/traverse/write files, WHY??
Background questions:
which side (client or server) should do the name to id mapping?
is my idmapd.conf on my client correct (example remote NFS4 server DNS domain is eh.loc) :
[General] Verbosity = 7 [Mapping] [Translation] Method = static [Static] [email protected] = oracle [email protected] = oinstall [email protected] = dba
There is a big confusion with the nfs id mapping. The mapping used when a string form principal, like [email protected], have to be converted into a numeric id and vise versa. This is done when you do ls -l, for example.
However, when you mount with sec=sys, which you obviously do, then all request are authenticated with client's local UID and GIDs. IOW, on touch UID of the client process will be the file owner on the server. Actually, to solve very this problem idmapd+Kerberos combination is great.
Ok, not in every environment one can run Kerberos. You can enforce single uid by mapping all requsts from those hosts to a single uid/gid.