How to get NFSv4 idmap working with sec=sys?

There are a couple of things to note when using NFSv4 id mapping on mounts which use the default AUTH_SYS authentication (sec=sys mount option) instead of Kerberos.

NOTE: With AUTH_SYS idmapping only translates the user/group names. Permissions are still checked against local UID/GID values. Only way to get permissions working with usernames is with Kerberos.

On recent kernels, only the server uses rpc.idmapd (documented in man rpc.idmapd). When using idmap, the user names are transmitted in user@domain format. Unless a domain name is configured in /etc/idmapd.conf, idmapd uses the system's DNS domain name. For idmap to map the users correctly, the domain name needs to be same on the client and on the server.

Secondly, kernel disables id mapping for NFSv4 sec=sys mounts by default. Setting nfs4_disable_idmapping parameter to false enables id mapping for sec=sys mounts.

On server:

echo "N" > /sys/module/nfsd/parameters/nfs4_disable_idmapping

and on client(s):

echo "N" > /sys/module/nfs/parameters/nfs4_disable_idmapping

You need to clear idmap cache with nfsidmap -c on clients for the changes to be visible on mounted NFSv4 file systems.

To make these changes permanent, create configuration files in /etc/modprobe.d/,

on server (modprobe.d/nfsd.conf):

options nfsd nfs4_disable_idmapping=N

on client(s) (modprobe.d/nfs.conf):

options nfs nfs4_disable_idmapping=N

Tags:

Linux

Users

Nfsv4