Phew! Blogging after almost 3 years.
While setting up NFS, I came through a very annoying challenge where file ownership was shown as nobody user and group in the client. Although the system was set up according to the standard guidelines, a huge problem came up, especially for NFS v4 shares. So I went a little deeper into how identity mapping really works in NFS to talk about this faultless and very long exploration into idmapd.
The write-up generally applies to all versions of Linux that support nfs-utils and rpc.idmapd. However, there can be slight variations among different distributions regarding package versions, service management difference (e.g., systemd versus init), or even default configuration (RHEL 7 versus 8 or 9, Ubuntu is also included here).
However, it is best to check availability of the package and service commands on the specific Linux version you are using.
When working in NFS (Network File System), appropriate user and group ID mappings should be used to keep the files’ ownership consistent across clients and servers. This article discusses the differences that differentiate idmapd in NFS v3 and NFS v4, which enables the process configuration of the function.
Differences Between idmapd in NFS v3 and NFS v4
NFS v3
No Built-in ID Mapping:
- NFS v3 uses numeric UID and GID values directly. For consistency, the client and server must have matching UID/GID values in their /etc/passwd and /etc/group files.
idmapd is Not Used:
- Since NFS v3 relies purely on numeric IDs, idmapd plays no role. Identity translation is based on matching UID/GID numbers.
NFS v4
- String-Based ID Mapping:
- NFS v4 replaces numeric UID/GID values with string-based identifiers, such as username@domain.
- Example: User john is represented as john@example.com.
2. idmapd is Mandatory:
- NFS v4 requires rpc.idmapd to translate these string-based user and group names to numeric UIDs and GIDs and vice versa.
- Without idmapd, file ownership may appear as nobody or numeric IDs.
3. Domain Name Consistency:
- The domain name in /etc/idmapd.conf must match between the client and server. A mismatch can lead to mapping failures.
How to Enable and Configure idmapd in NFS v4
Step 1: Install Required Packages
Ensure the nfs-utils package is installed on both the client and server:
sudo yum install nfs-utils
Step 2: Configure idmapd
Edit the /etc/idmapd.conf file on both the client and server:
Set the Domain: Ensure the domain name matches on both sides.
[General]
Domain = example.com
Set Mapping Rules (Optional): Define how unknown users and groups should be handled:
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
Step 3: Start and Enable rpc.idmapd
Start the rpc.idmapd service on both the client and server:
sudo systemctl start rpc-idmapd
sudo systemctl enable rpc-idmapd
Verify the service is running:
systemctl status rpc-idmapd
Step 4: Verify UID/GID Mapping
After mounting the NFS v4 share, check the ownership of files to confirm proper mapping:
ls -l /mount/point
Debugging UID/GID Mapping in NFS v4
If user/group mapping issues persist:
- Enable Debug Logging: Edit /etc/idmapd.conf and add:
Verbosity = 5
Restart the service:
sudo systemctl restart rpc-idmapd
2. Check Logs: Examine debug output:
journalctl -u rpc-idmapd
3. Force a Test: Test the mapping manually:
sudo nfsidmap -c
sudo nfsidmap -v user@example.com
4. Working with NFS v3
For NFS v3, since idmapd is not used, UID/GID synchronization is critical:
- Ensure Consistency: Verify that /etc/passwd and /etc/group files on the client and server have matching entries.
- Mount Options: Use the anonuid and anongid options if needed to remap unknown IDs:
mount -t nfs -o rw,vers=3,anonuid=1000,anongid=1000 10.0.0.1:/export /mount/point
Key Points
- NFS v3: Relies on numeric UID/GID; no idmapd support.
- NFS v4: Requires rpc.idmapd for string-based user/group mapping.
- Proper configuration of /etc/idmapd.conf and consistent domain names are critical for NFS v4.
By following these guidelines, you can resolve ownership issues and ensure smooth operations with NFS.
Let me know in the comments if you face specific challenges!
