Date: Sat, 19 Sep 2020 01:29:24 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "Russell L. Carter" <rcarter@pinyon.org>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Documentation regarding NFSv4 Message-ID: <YTBPR01MB3966A098729DE30BE1654D5FDD3C0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <df6efc1a-8389-be69-a5c5-b2c63e8c8cc1@pinyon.org> References: <20200918185319.7o27ciyviwdyhr7v@mutt-hbsd> <YTBPR01MB3966AFCC1828D45D85041BF5DD3F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM> <YTBPR01MB3966BDEAE81A05586086E345DD3F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>, <df6efc1a-8389-be69-a5c5-b2c63e8c8cc1@pinyon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Russell L. Carter wrote:=0A=
>On 2020-09-18 16:28, Rick Macklem wrote:=0A=
> > Oh, and I forgot to mention name<->id# mapping.=0A=
> > If using AUTH_SYS (not kerberos), then you have the=0A=
> > choice of running "nfsuserd" or setting these two sysctls to 1.=0A=
> > vfs.nfs.enable_uidtostring=3D1=0A=
> > vfs.nfsd.enable_stringtouid=3D1=0A=
> > --> This makes the server just handle id#s (uid, gid) as numbers in=0A=
> > a string. (This is the default for Linux these days although=0A=
it was=0A=
> > ' frowned upon in the early days.)=0A=
> >=0A=
> > Running nfsuserd maps uid, gid numbers to/from names using the=0A=
> > password and group databases. This must be used for Kerberos mounts.=0A=
> >=0A=
> > Without the above properly configured, you'll see lots of files owned=
=0A=
> > by "nobody" on the client mounts.=0A=
>=0A=
>Those sysctls are interesting. I wasn't aware of them and so I run=0A=
>nfsuserd. What do they do, practically speaking? My understanding,=0A=
>likely wrong, is that nfsuserd should allow different uid/gid=0A=
>server->client mappings, possibly different for different clients.=0A=
Well, in theory, yes.=0A=
In practice, that never really happened.=0A=
When NFSv4 was being designed, putting uid/gid numbers in file attributes=
=0A=
was felt to be too POSIX centric, so in file attributes, they are defined=
=0A=
as a string of the form "user@domain" or "group@domain".=0A=
What never happened was a good definition of what "domain" was supposed=0A=
to be or how clients/servers would handle multiple domains.=0A=
--> So, only one "domain" normally works and it is usually the same=0A=
as the domain part of the machine's hostname.=0A=
=0A=
Linux got tired of doing the number->string and string->number=0A=
mapping (awkward for NFS mounted root file systems, since the mapping=0A=
daemon is not running right away), so they switched to just doing=0A=
"uid" and "gid" (ie. the numbers in strings).=0A=
--> By setting the sysctls (both for the server), you run Linux compatible=
=0A=
and don't need to run the nfsuserd (unless you use the -manage-gids=
=0A=
option on it).=0A=
=0A=
These days Linux is the de-facto standard (unless you are using Windows).=
=0A=
=0A=
>However I still had to sync uid/gids across machines even though they=0A=
>are all running nfsuserd. Didn't disable nfsuserd because... system=0A=
>is working... DFWI.=0A=
Well, user authentication is a different story...=0A=
- For Kerberos, the kerberos user principal is translated to POSIX=0A=
credentials by the gssd daemon and you don't need a consistent=0A=
uid, gid space, but do need to run nfsuserd, since the "uid" and "gid"=0A=
strings don't work.=0A=
- Otherwise, you are using AUTH_SYS, which means the RPC authenticator=0A=
has a uid and gid list in it and the credentials are derived from that.=
=0A=
(If you run "nfsuserd -manage-gids", then the uid is used to acquire=0A=
a list of gids on the server from its group database. Otherwise, the=0A=
list of gids in the RPC authenticator is used.)=0A=
--> You need a uniform uid space (and uniform gid space unless you=0A=
are using "nfsuserd -manage-gids".=0A=
=0A=
Confusing, yes.=0A=
=0A=
rick=0A=
=0A=
Anyway, naked FreeBSD-stable nfsv4 is rock solid in a clamped down=0A=
arena with a variety of FreeBSD and Debian clients. Kudos.=0A=
=0A=
Thanks,=0A=
Russell=0A=
=0A=
> rick=0A=
>=0A=
> ________________________________________=0A=
> From: Rick Macklem <rmacklem@uoguelph.ca>=0A=
=0A=
=0A=
_______________________________________________=0A=
freebsd-current@freebsd.org mailing list=0A=
https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A=
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"=
=0A=
=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3966A098729DE30BE1654D5FDD3C0>