zlacker

>>chmayn+(OP)
I’ve never really understood how permissions are supposed to work with NFS - are user IDs supposed to be consistent across systems?

Is there a sane easy way to implement authentication? Last Time I tried iirc my options were LDAP or nil.

>>hsbaua+Hv
Under NFSv2 and NFSv3, the numeric user and group id is used to determine permission, and these must be aligned between the client and server. I have an oracle uid 60 on an older system that maps as elcaro on an NFS client (because I have a different oracle user there as uid 54321).

Under NFSv4, direct uid/gid is no longer used, but the RPC.idmapd process determines privilege. I'm not really sure how it works beyond continuing to work when uid/gid synchronization is in place for NFSv3 and the connection is upgraded.

There is also an NFS ACL standard, but I don't know anything about it.

>>chasil+lw
> these must be aligned between the client and server

looooool

(Seriously, though, could someone tell me why this was supposed to make sense?)

>>jjoona+4H
If you've got centralized account management, it can work. Sending a fixed length 16-bit numeric id rather than a variable width username is a lot easier.

I've worked somewhere with a lot of NFS, and they had centralized account management, so everything was fine other than actual security, at least until we hit the limit of 16-bit uids. That place had a different centralized account management for production, so uids weren't consistent between corp and prod, but NFS in prod was very limited. (And you wouldn't nfs between corp and prod either)

I worked somewhere else without real centralized management of accounts on prod, and it was a PITA to bring that back under control, when it started becoming important. Even without intentional use of uids, it's convenient that they all line up on all servers; and it's a pain to change a uid that already exists on the system.