SImple name-to-id mapping with idmapd not working?
J. Bruce Fields
bfields at fieldses.org
Mon Mar 10 18:19:51 EDT 2008
On Sun, Mar 09, 2008 at 06:02:01PM +0100, Alessio Gaeta wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sorry for delay, I've been busy and I've read some code too...
>
> >>>> If we also wanted to do id<->id mapping of auth_unix credentials, we'd
> >>>> need a new mechanism for that.
> >> Only for curiosity, it is so difficult to implement it? Did someone
> >> thought about it when idmapd was implemented?
>
> > It's not terribly difficult to do server-side mapping of auth_unix
> > credentials. If you (or someone you know of) has the time and resources
> > to work on it, we could probably outline what's needed.
>
> I read the code, but it is undocumented,
Patches adding helpful comments are welcomed....
> so it's a bit difficult for me
> to clearly figure the interaction between components... Moreover I am
> not an expert programmer (I studied RPC some years ago, I'd need a
> refresh...), neither I have too much time available; so I can't
> "officially" take this commit, but I'd like to learn more about NFS and
> id mapping and maybe to try coding something (intended that I'd share
> any eventually useful result, of course). Neither I want to steal your
> time, so maybe you can only address me to some developer resources
> (interaction diagrams, functions documentation... I couldn't find
> anything useful by myself), I would be grateful to you.
Hm. I'm not sure if that documentation exists.
I think what you'd want to do is add a new server "cache" (see e.g.
http://fieldses.org/~bfields/kernel/svc_caches/ for a rough description)
which would map from a triple of (client name (as used in exports),
"user"/"group", id number) to a local uid/gid. You'd need to add
corresponding code to rpc.mountd that listened for requests of that form
and answered them. And you'd need to figure out some syntax to allow
the user to configure this (possibly in the /etc/exports file).
Though if you actually want this to work for something like a laptop,
which might move around, you may want to do the mapping on the client
side instead (since the only way the server has to decide which client's
mapping to use is the ip address). I don't know how you'd do
that--maybe use the keyring code somehow to manage auth_unix
credentials??
Though personally I think the effort would be much better spent on
making kerberos as really easy to set up; there is, as you say, a
perception that:
> deploying a NIS/Kerberos/LDAP service is clearly overscaled...
We should make it easy to set up Kerberos. I don't know of any
fundamental reason it has to be hard. That would mean working with
distributions to automate the setup, maybe providing some higher-level
tools to manage users--I don't know.
--b.
More information about the NFSv4
mailing list