NFSv4 User and Group mappings
I have been working with a BlueArc NAS head for some time and just recently the requirement for NFSv4 and ACL’s had come up.
For a while I have been looking for some more info on how the NFS usermapping and ACL’s works, and especially for NFSv4. We were looking for a solution to the problem where the mapping of the Unix usernames and userid’s did not align with the NFS Server’s configuration, although we could not determine why. When the user id and usernames cannot be matched with the NFS server, the active users credentials are squashed to anonymous. That makes it hard to enforce some decent ACL policies. The NFS client log clearly stated that it could not map a user to a domain.
Feb 25 14:24:26 nfsclient rpc.idmapd[30316]: nss_getpwnam: name 'username' does not map into domain 'domainname'
It was clear the usermapping differs between NFS3 and NFS4, but I did not quickly find what the difference was. The vendor’s administration guide wasn’t very elaborate on this topic, so I reverted to the beloved Google searches to try my luck. Unfortunately most hits were related to a bug in libnfsidmap.so in utils-nfs-lib which was supposed to be solved in versions which seem old to this time. So that could not be the cure to my issue. I accidentally stumbled across the solution by reading the command line man pages for the NAS head. It is just another example of an administration guide or command reference that is not as elaborate or at all complete as the man pages supplied with the management interfaces supplied by vendors. This BlueArc example isn’t on its own here.
The NFS server config wasn’t like the NFS clients configuration, because the NFS server was a NAS head. The NFS client uses the idmapd to match unix names with unix ID’s when connecting to NFS. The client uses domain information stored in a file /etc/idmapd.conf. Look at the section [General].
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = domainname
The value behind “Domain” should match the configuration of your NFS server. In the case of NFSv4 user and group mappings, this is the value that should follow the @ behind the corresponding unix user name.
An example;
On the NFS server, there has to be a mapping between Unix user “username” with id “2010″ and in /etc/idmapd.conf the domain name “domainname” is set. On the NFS server, you use the NFS specific utility to configure a mapping for NFSv4 for “username@domainname”.
At this point I can only supply an example for a BlueArc HNAS usermapping.
BLUEARC CLI#> user-mapping-add --unix-name username --unix-id 2010 --nfsv4-name username@domainname
After succesful configuration, the NFS client log should display the following.
Feb 25 14:24:51 nfsclient rpc.idmapd[30316]: Client 15: (user) name "username@domainname" -> id "2010"
The same method applies to the group names, which obviously will need a mapping corresponding to the group names and ID’s.
So for all the people looking at the same problem in the near future, this post should help you a bit.
