RHEL: NFSv4 and ID mapping

Introduction

ID mapping is the forward and backward translation of numeric UIDs and GIDs to user and group names (strings). NFSv4 introduced ID mapping by sending user and group names over the wire instead of numeric UIDs and GIDs. NFSv3 utilised numeric UIDs and GIDs.

The NFS Client and Server's use of ID mapping with NFSv4 can now be disabled resulting in the use of numeric UIDs and GIDs. In recent releases of RHEL 6 and newer, ID mapping can be disabled when using AUTH_SYS, however, ID mapping is required when using AUTH_GSS. For example, sec=krb5.

The NFS Client will switch to user and group names if attempts to use numeric UIDs or GIDs fail. This preserves backwards compatibility with NFS Servers not accepting numeric UIDs and GIDs.

ID mapping is handled by rpc.idmapd on the NFS server and nfsidmap by default, or optionally by rpc.idmapd, on the NFS client. Please refer to their manual pages for more details.

ID mapping can be disabled by using the following tunables:

• NFS client: /sys/module/nfs/parameters/nfs4_disable_idmapping
• NFS server: /sys/module/nfsd/parameters/nfs4_disable_idmapping

Background

There are two different levels of the protocol where we refer to users and groups:

• The RPC header of each NFS request identifies who is performing that request, either by a reference to a kerberos credential (in the RPCSEC_GSS case), or by a UID, GID, and list of supplementary GIDs (in the AUTH_SYS case). At the RPC protocol level, it is possible to set up limited mappings. It is also called "ID Mapping" and is described in the "User ID Mapping" section in exports(5).
• The payload of NFSv4 requests that set or get file owner, file group, or ACL attributes, have to refer to users and groups. They may use either names of the form user@domain or (more recently) numeric IDs. NFSv2 and NFSv3 always use numeric IDs.

This document is focussed at the NFSv4 protocol level, not at the RPC protocol level.

It is still important to synchronise UIDs between NFS Clients and NFS Servers, otherwise permissions and owners of newly created files may be incorrect on AUTH_SYS mounts.

Timeline

RHEL 6

NFS Client

• In RHEL 6.3 (kernel 2.6.32-279.el6) ID mapping defaults to disabled on the NFS Client. i.e. nfs4_disable_idmapping defaults to "Y".
• Prior to RHEL 6.3 rpc.idmapd was required for ID mapping. In RHEL 6.3, nfsidmap and keyring based ID mapping was introduced in nfs-utils-1.2.3-26.el6. There were issues in the implementation that were fixed in RHEL 6.6's nfs-utils-1.2.3-54.el6. If ID mapping is required for RHEL 6.5 or older, please use rpc.idmapd.

NFS Server

• In RHEL 6.5 (2.6.32-431.el6) ID mapping can be disabled on the NFS Server. However, nfs4_disable_idmapping defaults to "N". The kernel NFS Server maintainer recommends that users disable ID mapping on new NFS servers by setting nfs4_disable_idmapping to "Y".
• The NFS Server uses rpc.idmapd for ID mapping.

RHEL 7 and later version

• Both the NFS Client and the NFS Server has ID mapping disabled by default. i.e. nfs4_disable_idmapping defaults to "Y"
• For ID mapping, the NFS Client uses nfsidmap and the NFS Server uses rpc.idmapd