Can nfsv4 ID mapping work between macOS and Linux without an Open Directory server?
- nfs version is 4, all versions 1…3 are disabled
- Kerberos is MIT
- Share sec is krb5p
- The realm is REALM.COM and nfs and kdc servers and macOS clients have domain realm.com
macOS
/etc/nfs.conf: nfs.client.default_nfs4domain = realm.com hostname mac.realm.com /etc/hosts: 1.2.3.4 server.realm.com
Linux:
cat /proc/fs/nfsd/versions -2 -3 +4 +4.1 +4.2 cat /sys/module/nfsd/parameters/nfs4_disable_idmapping N /etc/idmapd.conf: [General] Verbosity = 3 Pipefs-Directory = /run/rpc_pipefs [Mapping] Nobody-User = nobody Nobody-Group = nogroup hostname --fqdn server.realm.com /etc/hosts: 127.0.1.1 server.realm.com server
The mac has user:group:
- root:wheel
- admuser:staff
- nobody:nobody
— wheel and staff are generic BSD groups
Linux has user.group:
- root.root
- admuser.admuser
- nobody.nogroup
On macOS, admuser:staff executes the mount command:
mount -tnfs -overs=4,proto=tcp,port=2049,sec=krb5p server.realm.com:/files ~/files
Current State
In the current nfs client and server configuration, it’s all nobody.nogroup and nobody:nobody
tail --follow=name --retry /var/log/syslog | egrep '^.{16}[^ ]* rpc.idmapd[[]'
Feb 16 10:17:11 server rpc.idmapd[3981346]: nfsdcb: authbuf=gss/krb5p authtype=user
Feb 16 10:17:11 server rpc.idmapd[3981346]: Server : (user) id "0" -> name "root@localdomain"
Feb 16 10:17:11 server rpc.idmapd[3981346]: nfsdcb: authbuf=gss/krb5p authtype=group
Feb 16 10:17:11 server rpc.idmapd[3981346]: Server : (group) id "0" -> name "root@localdomain"
Feb 16 10:17:19 server rpc.idmapd[3981346]: nfsdcb: authbuf=gss/krb5p authtype=user
Feb 16 10:17:19 server rpc.idmapd[3981346]: Server : (user) id "65534" -> name "nobody@localdomain"
Feb 16 10:17:19 server rpc.idmapd[3981346]: nfsdcb: authbuf=gss/krb5p authtype=group
Feb 16 10:17:19 server rpc.idmapd[3981346]: Server : (group) id "65534" -> name "nogroup@localdomain"
The first pair is mount, second pair is access
macOS:
nfs4mapid admuser
user admuser maps to id 501
mapping done through guid 126DA715-EAD2-48BB-9A40-653AED2D78CD
nfs4mapid -u501
user id 501 maps to [email protected]
mapping done through guid 126DA715-EAD2-48BB-9A40-653AED2D78CD
nfs4mapid -G staff
group staff maps to id 20
mapping done through guid ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014
nfs4mapid -g20
group id 20 maps to [email protected]
mapping done through guid ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014
nfs4mapid root
user root maps to id 0
mapping done through guid FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
nfs4mapid -u0
user id 0 maps to [email protected]
mapping done through guid FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
nfs4mapid -G wheel
group wheel maps to id 0
mapping done through guid ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000
nfs4mapid -g0
group id 0 maps to [email protected]
mapping done through guid ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000
- Linux max version is 4.2
- macOS max version is 4.0
Desired Mappings
When doing ls -l on the macOS client:
- Linux user root -> macOS user root
- Linux group root -> macOS group wheel
- Linux user admuser -> macOS user admuser
- Linux group admuser -> macOS group staff
When creating a file on the server from macOS
- macOS user root -> Linux user root
- macOS group wheel -> Linux group root
- macOS user admuser -> Linux user admuser
- macOS group staff -> Linux group admuser
Can nfsv4 ID mapping work between macOS and Linux without an Open Directory server?
If Open Directory is required, how is that done?
