Nfs4, Idmapd, Users With Same Name, Different Uid?

Home » CentOS » Nfs4, Idmapd, Users With Same Name, Different Uid?
CentOS 12 Comments

Is idmapd supposed to work where users have different uid numbers on the nfsv4 server and client? It seems to show the right names for ownership on the client side, but if I automount a home directory, that user doesn’t have permission to enter it, and if I change permission to allow access and create a new file, it shows on the server as owned by the uid number for the user on the client (and wrong on the server).

Everything works like it would on nfs v3 where the uid numbers are the same on the client and server, but what’s the point of the rpcidmapd daemon if it doesn’t actually map the ids?

12 thoughts on - Nfs4, Idmapd, Users With Same Name, Different Uid?

  • As far as I know, nfs4 doesn’t care about UID/GID, but checks names, so it should work, no matter that you have different UIDs on server and client for same users.

    Cheers, Barbara

  • Sorry, if you use nfs4 and idmapd uid/gid has to be the same on server and client. I have tested and it does not work when UID differs on server/client.

    Cheers, Barbara

  • for nfsv4 it is my understanding you need a central user store like ldap or nis (but don’t use nis) or synchronize your password file to eternity. I do not have a CentOS nfs server (or a linux one, for that matter, what I want from nfsv4 are mainly the extended acls and those are not there until somebody wakes up and merges the richacl patch into the mainstream kernel), only clients, but they work fine using nfsv4 to both netapp as zfs (omnios) filers.

    Both the clients as the filers are configured to lookup up users in ldap
    (ipa in our case).

    I have no experience with idmapd in linux, but in solaris and netapp it gets ugly quite easily :-)

  • It also works with same UID-s on server/client, just setting the domainname in idmapd.conf. Ldap is not obligatory. Cheers, Barbara

  • This is a small lab-type setting but I’m trying to merge two sets of machines set up by different groups to have a common home directory server that all the others automount. The number of users is small enough that I’ll just ‘usermod’ them into the same uid numbers, but I
    don’t see why it is worth running the idmapd daemon at all, when all it does is map everyone to nobody if you forget to set the domains identically. And after fixing the uids to match, is there any advantage to nfsv4 at all?

  • —– Original Message —–
    | | > >>
    | >> I have no experience with idmapd in linux, but in solaris and
    | >> netapp it
    | >> gets ugly quite easily :-)
    | >>
    | > It also works with same UID-s on server/client, just setting the
    | > domainname in idmapd.conf. Ldap is not obligatory.
    |
    | This is a small lab-type setting but I’m trying to merge two sets of
    | machines set up by different groups to have a common home directory
    | server that all the others automount. The number of users is small
    | enough that I’ll just ‘usermod’ them into the same uid numbers, but I
    | don’t see why it is worth running the idmapd daemon at all, when all
    | it does is map everyone to nobody if you forget to set the domains
    | identically. And after fixing the uids to match, is there any
    | advantage to nfsv4 at all?

    Over NFSv3? Yes, single port for traffic and extended ACLs. Throw in Kerberos and you have authenticated access to resources.


    James A. Peltier Manager, IT Services – Research Computing Group Simon Fraser University – Burnaby Campus Phone : 778-782-6573
    Fax : 778-782-3045
    E-Mail : jpeltier@sfu.ca Website : http://www.sfu.ca/itservices

    “A successful person is one who can lay a solid foundation from the bricks others have thrown at them.” -David Brinkley via Luke Shaw

  • that’s why I wrote ‘synchronize your password file to eternity’ ;-)

    But really, don’t do that, use a central store. Much easier unless you have a very very tiny network (but those tend to grow unexpectedly).

  • This is a very tiny subset (mostly) of a corporate network where the larger things are handled by active directory. But, for various non-technical reasons I don’t want these machines to have to ‘join’
    AD. Kerberos will sort-of work without joining, but doesn’t seem usable for exporting samba shares – and then anyone added locally wouldn’t work without the uid matching anyway. Is there a way to set up an LDAP server with a few local users but that mostly does a proxy to AD? And if I did, would users be able to map their home directories as samba shares with the authentication it provides without joining AD?

  • The AD admins are in a different group in a different location and involving them adds a lot of complexity. A short script to ‘usermod
    -u nnn’ everyone into the same uids across hosts sounds better all the time. However, it would be nicer if there were some way to avoid having to manage yet another password for each user for samba, although with central home directories that would only need to be on one of the systems.

  • Reviving an old thread… I had this all working with an initial set of users across several machines where all users had the same user id and idmapd.conf had the same Domain set. /home is exported from one machine, and everything showed the right ownership. However, when I
    add new users, again keeping the same uid numbers across all hosts, the mounted instances show as ‘nobody’ for the new users. Is there some magic short of a reboot to make it recognize the new user ids?
    A reboot does fix it, ‘service rpcidmapd restart or force-reload’ does not, unmounting /home and remounting also does not.

LEAVE A COMMENT