On 9 Apr 2024, at 16:50, Zé Geraldo wrote: > Hello, > > I'm seeking advice on configuring NFS to handle a specific scenario > where the server and client have an offset in their UID/GID values. On > the server, a UID/GID translates to a UID/GID + 10000 on the client > side. > > Ideally, I'd like to avoid modifying server configurations or changing > client UIDs at this time. > > My current approach involves utilizing the sec=sys option with an > offset to bridge this UID/GID gap. However, I'm unsure about the > effectiveness of this method and would appreciate any insights from > the community about how I could do this. > > Here's a summary of the situation: > > Problem: Server and client have a UID/GID offset (server UID/GID = > client UID/GID + 10000) > Goal: Configure NFS to handle this offset without server config > changes or client UID modifications. > Possible Solution (under consideration): Using sec=sys with an offset > in the mount options. > > While alternative configurations like sec=krb5 functioned in a test > environment, modifying the server configuration is not preferred. > > If anyone has experience with similar scenarios or can offer guidance > on using sec=sys with offsets for NFS, your expertise would be greatly > appreciated. > > Thanks, > > José Geraldo Hi José, Have you looked into whether user namespaces on top of NFS can solve your problem? I haven't specifically used them on NFS, but it might be an existing tool you can build upon. When you set them up, you can specify a mapping; see user_namespaces(7). A more in-depth explanation of how they work is here: https://docs.kernel.org/filesystems/idmappings.html#general-notes You must know that sec=sys doesn't provide real security, though. As long as a particular NFS client has sec=sys access to a server, processes on that client can impersonate any UID/GID. Ben
