Re: NFSv4 behaviour on unknown users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2010-11-30 at 17:36 -0500, J. Bruce Fields wrote:
> On Tue, Nov 30, 2010 at 05:33:34PM -0500, Trond Myklebust wrote:
> > On Tue, 2010-11-30 at 17:26 -0500, J. Bruce Fields wrote:
> > > On Tue, Nov 30, 2010 at 05:19:38PM -0500, Trond Myklebust wrote:
> > > > On Tue, 2010-11-30 at 10:36 -0500, Steve Dickson wrote:
> > > > > 
> > > > > On 11/29/2010 02:09 PM, Trond Myklebust wrote:
> > > > > > On Mon, 2010-11-29 at 14:01 -0500, J. Bruce Fields wrote:
> > > > > >> On Mon, Nov 29, 2010 at 07:38:30PM +0100, Spelic wrote:
> > > > > >>> On 11/29/2010 07:22 PM, Trond Myklebust wrote:
> > > > > >>>> On Mon, 2010-11-29 at 19:12 +0100, Spelic wrote:
> > > > > >>>> No. That is not allowed by the spec.
> > > > > >>>>
> > > > > >>>> Trond
> > > > > >>>
> > > > > >>> Too bad!! :-((
> > > > > >>> Was that spec decision really wise? :-/
> > > > > >>>
> > > > > >>>
> > > > > >>> BTW:
> > > > > >>> I've just noticed two discussions dated a few months ago in this ML
> > > > > >>> regarding this.
> > > > > >>> the thread named 'numeric UIDs'
> > > > > >>
> > > > > >> There's also a reference to the spec language there--we'd be violating a
> > > > > >> "SHOULD", but I think it would be acceptable if it smooths the v3->v4
> > > > > >> upgrade path for users in your situation.
> > > > > >>
> > > > > >> I think steved's changes still need to be ported to libnfsidmap?
> > > > > > 
> > > > > > I don't see how steved's changes will fix this problem. If the client
> > > > > > has a mapping, it will (MUST) send the mapped uid/gid and the server
> > > > > > still has to make sense of that. Ditto if the server has a mapping, and
> > > > > > the client does not.
> > > > > I actually thought it did... 
> > > > 
> > > > How? The userland library has no concept of whether or not the server
> > > > accepts unmapped uids and gids.
> > > > 
> > > > > Now that the libnfsidmap maintainership has been handed over to me 
> > > > > and I'm about to enable the new nfsidmapper when I commit the 
> > > > > "libnfsidmap: Add numerical string translation" patch... Its 
> > > > > probably time I take a second look at those patches to see
> > > > > if we can ease some of this pain...
> > > > 
> > > > Some reasons for doing this in the kernel are:
> > > > 
> > > > 1) it is easy to do so.
> > > > 2) it allows the kernel to take action to recover
> > > > 3) it fixes the nfsroot problem, provided that the server also sends
> > > > uids/gids in this situation.
> > > 
> > > Makes sense to me.
> > > 
> > > The server side might still be easiest to do in idmapd/libnfsidmap.
> > 
> > The NFS server has to be able to tell the idmapper which variety of
> > mapping it wants. The reason is, as I said, that we want to handle
> > RPCSEC_GSS based authentication (and possibly AUTH_NULL too) differently
> > from AUTH_SYS. The idmapper by itself has no way to distinguish what
> > authentication the client used.
> 
> I still don't understand what the advantage of that would be: why would
> we want to return different file owners depending on which
> authentication flavor the client's request used?

If the client uses AUTH_GSS, then the user gets authorised as user@FOO,
whether or not the server uid matches that of the client. When that user
creates a file, then the file will be created with the server's notion
of what the uid is, so you _want_ idmapping in order to translate that
into a user@foo that the client can translate back into its notion of
the uid.

If the client uses AUTH_SYS, then the user gets authorised as 'client
uid' irrespective of what user@foo maps to on the server. Files will be
created with 'client uid' as the owner. In that case, having the server
translate the owner to 'userbar@foo' is wrong if userbar@foo has a
different uid on the client and server.

Trond

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux