I have a Mac OS X file server that serves via SMB/CIFS and AFP. The server is a domain client via the golden triangle approach, but this results in a very large UID for the users. This is fine for my current setup, but I'd like to get NFS working as well. Obviously I need to do some UID mapping, but I'm not sure how to go about doing this. Any advice?
In most NFSv3 implementations, particularly kernel-level servers, this isn't possible apart from some limited mappings like root to nobody. In NFS v4 you have rpc.idmapd which performs the NFSv4 ID <-> UID mapping on the server and allows you to get more flexible.
If you can't use NFSv4, the recommended way to deal with it for NFSv3 is to have your users come from a directory service such as LDAP, or another common database. Typically all the system users for daemons etc. will come from
/etc/passwd
while all the human users come from an external source. This will ensure consistent UIDs across the board and eliminate the need for any kind of mapping.Well, after further research, I've found that nfs-user-server will allow you to do this sort of mapping. It's kind of a bummer, because the main reason I wanted to use NFS over CIFS was speed. nfs-user-server runs in userspace, so it's not as fast as nfs-kernel-server. Doesn't seem to be a optimal solution.
I want to add that there's a major gotcha to NFSv4's UID mapping approach (see Kamil's comment): It doesn't work for
AUTH_SYS
/AUTH_UNIX
authentication, which is what you have if the different computers aren't using LDAP or Kerberos or some other shared access control system.Here's the rub: NFSv4 will use textual (that is, non-numeric) IDs when describing file ownership across the wire, which is what you think you want, but the RPC layer still uses numeric UID and GID values. Simple
AUTH_SYS
authentication punts back to RPC, and then you're stuck again. Here's an example of what this looks like (tshark capture of client->server packet, captured on the server side):I haven't configured it on OSX, but what you're looking for is called idmapd. On an OSX box, the daemon is actually called rpc.idmapd. (Note: NOT imapd.)