{"id":3124,"date":"2022-12-20T16:43:32","date_gmt":"2022-12-20T19:43:32","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/nfsidmap-man8\/"},"modified":"2022-12-20T16:43:32","modified_gmt":"2022-12-20T19:43:32","slug":"nfsidmap-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/nfsidmap-man8\/","title":{"rendered":"nfsidmap (man8)"},"content":{"rendered":"

nfsidmap<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
OPTIONS<\/a>
CONFIGURING<\/a>
FILES<\/a>
SEE ALSO<\/a>
AUTHOR<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

nfsidmap \u2212 The NFS idmapper upcall program<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

nfsidmap [-v] [-t timeout] key desc
nfsidmap [-v] [-c]
nfsidmap [-v] [-u|-g|-r user]
nfsidmap -d
nfsidmap -l
nfsidmap -h<\/b><\/p>\n

DESCRIPTION <\/a> <\/h2>\n

The NFSv4 protocol represents the local system\u2019s UID and GID values on the wire as strings of the form user@domain<\/i>. The process of translating from UID to string and string to UID is referred to as “ID mapping.”<\/p>\n

The system derives the user<\/i> part of the string by performing a password or group lookup. The lookup mechanism is configured in \/etc\/idmapd.conf<\/i>.<\/p>\n

By default, the domain<\/i> part of the string is the system\u2019s DNS domain name. It can also be specified in \/etc\/idmapd.conf<\/i> if the system is multi-homed, or if the system\u2019s DNS domain name does not match the name of the system\u2019s Kerberos realm.<\/p>\n

When the domain is not specified in \/etc\/idmapd.conf<\/i> the local DNS server will be queried for the _nfsv4idmapdomain<\/i> text record. If the record exists that will be used as the domain. When the record does not exist, the domain part of the DNS domain will used.<\/p>\n

The \/usr\/sbin\/nfsidmap<\/i> program performs translations on behalf of the kernel. The kernel uses the request-key mechanism to perform an upcall. \/usr\/sbin\/nfsidmap<\/i> is invoked by \/sbin\/request-key, performs the translation, and initializes a key with the resulting information. The kernel then caches the translation results in the key.<\/p>\n

nfsidmap<\/i> can also clear cached ID map results in the kernel, or revoke one particular key. An incorrect cached key can result in file and directory ownership reverting to “nobody” on NFSv4 mount points.<\/p>\n

In addition, the -d<\/b> and -l<\/b> options are available to help diagnose misconfigurations. They have no effect on the keyring containing ID mapping results.<\/p>\n

OPTIONS <\/a> <\/h2>\n\n\n\n
<\/td>\n\n

-c<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Clear the keyring of all the keys.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

-d<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Display the system\u2019s effective NFSv4 domain name on stdout<\/i>.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

-g user<\/b><\/p>\n

Revoke the gid key of the given user.<\/p>\n\n\n\n
<\/td>\n\n

-h<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Display usage message.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

-l<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Display on stdout<\/i> all keys currently in the keyring used to cache ID mapping results. These keys are visible only to the superuser.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

-r user<\/b><\/p>\n

Revoke both the uid and gid key of the given user.<\/p>\n

-t timeout<\/b><\/p>\n

Set the expiration timer, in seconds, on the key. The default is 600 seconds (10 mins).<\/p>\n

-u user<\/b><\/p>\n

Revoke the uid key of the given user.<\/p>\n\n\n
<\/td>\n\n

-v<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Increases the verbosity of the output to syslog (can be specified multiple times).<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

CONFIGURING <\/a> <\/h2>\n

The file \/etc\/request-key.conf<\/i> will need to be modified so \/sbin\/request-key<\/i> can properly direct the upcall. The following line should be added before a call to keyctl negate:<\/p>\n

create id_resolver bodies manpages.csv script_extrae_body.sh script.sh usr bodies manpages.csv script_extrae_body.sh script.sh usr \/usr\/sbin\/nfsidmap -t 600 %k %d<\/p>\n

This will direct all id_resolver requests to the program \/usr\/sbin\/nfsidmap.<\/i> The -t 600<\/b> defines how many seconds into the future the key will expire. This is an optional parameter for \/usr\/sbin\/nfsidmap<\/i> and will default to 600 seconds when not specified.<\/p>\n

The idmapper system uses four key descriptions:<\/p>\n

uid: Find the UID for the given user
gid: Find the GID for the given group
user: Find the user name for the given UID
group: Find the group name for the given GID<\/p>\n

You can choose to handle any of these individually, rather than using the generic upcall program. If you would like to use your own program for a uid lookup then you would edit your request-key.conf so it looks similar to this:<\/p>\n

create id_resolver uid:* bodies manpages.csv script_extrae_body.sh script.sh usr \/some\/other\/program %k %d
create id_resolver bodies manpages.csv script_extrae_body.sh script.sh usr bodies manpages.csv script_extrae_body.sh script.sh usr \/usr\/sbin\/nfsidmap %k %d<\/p>\n

Notice that the new line was added above the line for the generic program. request-key will find the first matching line and run the corresponding program. In this case, \/some\/other\/program will handle all uid lookups, and \/usr\/sbin\/nfsidmap will handle gid, user, and group lookups.<\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/idmapd.conf<\/i><\/p>\n

ID mapping configuration file<\/p>\n

\/etc\/request-key.conf<\/i><\/p>\n

Request key configuration file<\/p>\n

SEE ALSO <\/a> <\/h2>\n

idmapd.conf<\/b>(5), request-key<\/b>(8)<\/p>\n

AUTHOR <\/a> <\/h2>\n

Bryan Schumaker, <\/p>\n

\n","protected":false},"excerpt":{"rendered":"

nfsidmap \u2212 The NFS idmapper upcall program <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,270],"class_list":["post-3124","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-nfsidmap"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3124"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3124\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}