Project

General

Profile

Feature #4943

NFS server: Generic uid and gid remapping for AUTH_SYS

Added by Marcel Telka over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
nfs - NFS server and client
Start date:
2014-06-27
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

There are various NFS deployments where it is desired to be able to extend the existing root/root_mapping share_nfs(1m) options to allow generic user remapping.

For example, we had a case where we would like to have the root user from client1 mapped at the server to user jack, while root from client2 should be mapped at the server to user jill.

The traditional share options allows either root=client1,root_mapping=jack to satisfy client1, or root=client2,root_mapping=jill to satisfy client2. It is not possible to combine such options somehow to make it working as desired.

To solve this issue we introduce the generic user and group remapping using two new share_nfs options uidmap and gidmap. The above use case is easily implementable using the following setup:

uidmap=0:jack:client1~0:jill:client2

Here is the relevant part of the share_nfs(1m) man page related to uidmap (gidmap is similar):

         uidmap=mapping[~mapping]...

             Where mapping is:

             [clnt]:[srv]:access_list

             Allows to remap the user ID (uid)  in  the  incoming
             request to some other uid.  This effectively changes
             the user's identity presented to the NFS server.

             For clients where the uid in the incoming request is
             clnt  and the client matches the access_list, change
             the user ID to srv.  If clnt is  asterisk  (*),  all
             users  are mapped by this rule.  If clnt is omitted,
             all unknown users are mapped by this rule.   If  srv
             is  set to -1, access is denied.  If srv is omitted,
             the uid is mapped to UID_NOBODY.

             All mappings are evaluated in  the  specified  order
             until   a   match   is   found.    Both   root=  and
             root_mapping= options (if specified)  are  evaluated
             before  the  uidmap=  option.  The uidmap= option is
             skipped in a  case  the  client  matches  the  root=
             option.

             The uidmap= option is  evaluated  before  the  anon=
             option.

             This option is supported only for AUTH_SYS.

Related issues

Related to illumos gate - Feature #5296: Support for more than 16 groups with AUTH_SYSClosedMarcel Telka2014-11-07

Actions

Also available in: Atom PDF