1nfsidmap(5) File Formats Manual nfsidmap(5)
2
3
4
6 nfsidmap - The NFS idmapper upcall program
7
9 nfsidmap [-v] [-t timeout] key desc
10 nfsidmap [-v] [-c]
11 nfsidmap [-v] [-u|-g|-r user]
12 nfsidmap -d
13
15 The NFSv4 protocol represents the local system's UID and GID values on
16 the wire as strings of the form user@domain. The process of translat‐
17 ing from UID to string and string to UID is referred to as "ID map‐
18 ping."
19
20 The system derives the user part of the string by performing a password
21 or group lookup. The lookup mechanism is configured in
22 /etc/idmapd.conf.
23
24 By default, the domain part of the string is the system's DNS domain
25 name. It can also be specified in /etc/idmapd.conf if the system is
26 multi-homed, or if the system's DNS domain name does not match the name
27 of the system's Kerberos realm.
28
29 The /usr/sbin/nfsidmap program performs translations on behalf of the
30 kernel. The kernel uses the request-key mechanism to perform an
31 upcall. /usr/sbin/nfsidmap is invoked by /sbin/request-key, performs
32 the translation, and initializes a key with the resulting information.
33 The kernel then caches the translation results in the key.
34
35 nfsidmap can also clear cached ID map results in the kernel, or revoke
36 one particular key. An incorrect cached key can result in file and
37 directory ownership reverting to "nobody" on NFSv4 mount points.
38
40 -c Clear the keyring of all the keys.
41
42 -d Display the system's effective NFSv4 domain name on stdout.
43
44 -g user
45 Revoke the gid key of the given user.
46
47 -r user
48 Revoke both the uid and gid key of the given user.
49
50 -t timeout
51 Set the expiration timer, in seconds, on the key. The default
52 is 600 seconds (10 mins).
53
54 -u user
55 Revoke the uid key of the given user.
56
57 -v Increases the verbosity of the output to syslog (can be speci‐
58 fied multiple times).
59
61 The file /etc/request-key.conf will need to be modified so
62 /sbin/request-key can properly direct the upcall. The following line
63 should be added before a call to keyctl negate:
64
65 create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d
66
67 This will direct all id_resolver requests to the program
68 /usr/sbin/nfsidmap. The -t 600 defines how many seconds into the
69 future the key will expire. This is an optional parameter for
70 /usr/sbin/nfsidmap and will default to 600 seconds when not specified.
71
72 The idmapper system uses four key descriptions:
73
74 uid: Find the UID for the given user
75 gid: Find the GID for the given group
76 user: Find the user name for the given UID
77 group: Find the group name for the given GID
78
79 You can choose to handle any of these individually, rather than using
80 the generic upcall program. If you would like to use your own program
81 for a uid lookup then you would edit your request-key.conf so it looks
82 similar to this:
83
84 create id_resolver uid:* * /some/other/program %k %d
85 create id_resolver * * /usr/sbin/nfsidmap %k %d
86
87 Notice that the new line was added above the line for the generic pro‐
88 gram. request-key will find the first matching line and run the corre‐
89 sponding program. In this case, /some/other/program will handle all
90 uid lookups, and /usr/sbin/nfsidmap will handle gid, user, and group
91 lookups.
92
94 /etc/idmapd.conf
95 ID mapping configuration file
96
97 /etc/request-key.conf
98 Request key configuration file
99
101 idmapd.conf(5), request-key(8)
102
104 Bryan Schumaker, <bjschuma@netapp.com>
105
106
107
108 1 October 2010 nfsidmap(5)