Real utility of idmapd
Guillaume Rousse
Guillaume.Rousse at inria.fr
Wed Mar 21 13:11:49 EDT 2007
Kevin Coffman wrote:
> On 3/20/07, J. Bruce Fields <bfields at fieldses.org> wrote:
>> On Tue, Mar 20, 2007 at 03:57:23PM +0100, Guillaume Rousse wrote:
>>
>> > And what does imply idmapd translation method exactly ? Simple
>> existence
>> > of user account on both side, or existence AND uid consistency ?
>>
>> I'm not sure I understand the question.
>>
>> If you are using NFSv4 and auth_gss, then uid's and gid's are
>> irrelevant.
>>
>> if you are using either auth_sys, or NFSv2/v3, then you probably need
>> the client and server to agree on uid's and gid's.
>
> I'd argue UIDs and GIDs are irrelevant as far as the NFSv4 protocol is
> concerned (only names go across the wire). However, if seeing the
> 'right' name when doing something like 'ls -l' on the client is
> important, then the UIDs and GIDs need to be consistent within the
> NFSv4 domain.
I feel a bit lost here... Doesn't the command 'ls -l' on the client
implies a nfs exchange with the server, ensuring correct translation ?
> After all, one (the?) definition of an NFSv4 domain is
> a unique UID/GID space.
And here I'm totally lost. This sound contradicatory with the fact than
when using gss, you may have different uids between client and server,
and use kerberos principal to ensure the mapping.
> Since things are mapped between names and IDs
> on both sides (client and server), there really needs to be a
> consistent mapping strategy on all the clients and server(s) within a
> domain.
OK for this one :)
More information about the NFSv4
mailing list