> On 31 Mar 2020, at 18:20, Trond Myklebust <trondmy@xxxxxxxxxxxxxxx> wrote: > > On Tue, 2020-03-31 at 11:02 +0200, Stefan Walter wrote: >> The patch below adds a new nfsidmap plugin that uses regex to extract >> ids from NFSv4 names. Names are created from ids by pre- and >> appending >> static strings. It works with both idmapd on servers and nfsidmap on >> clients. >> >> This plugin is especially useful in environments with Active >> Directory >> where distributed NFS servers use a mix of short (uname) and long >> (domain\uname) names. Combining it with the nsswitch plugin covers >> both >> variants. >> >> Currently this plugin has its own git project on github but I think >> it could be helpful if it would be incorporated in the main nfs-utils >> plugin set. > > Hmm... Why wouldn't you rather want to use something like the > sss_rpcidmapd plugin in the AD environment? Manual editing of the > username sounds error prone, particularly if your domain is part of an > AD forest. > > I'm not saying that this plugin couldn't be useful in other > circumstances (please elaborate), just that the AD use case sounds a > little iffy… The reason why I wrote the plugin initially was because we had a new SpectrumScale file server with NFS4+Krb5. This system uses user names of the form DOMAIN\uname. According to IBM that is by design so that it can support multiple domains as in an AD forest. Now, our linux clients and servers too only know users by their uname. We could not get clients to work in this mixed setup with neither nsswitch.so nor sss.so. I just tried again and even fiddling with No-Strip and Reformat-Group, all I get is nobody:nobody (on an up-to-date RHEL7). Another goal was to have raw control over the parsing and generation of the names, even if only for debugging purposes. If you think about why the Reformat-Group option was added according to the man page, this is exactly something a sysadmin could fix quickly with this plugin while waiting until the devs figure out how to permanently fix it. True, in an AD forest the name->id mapping would work, but the id->name mapping fails because there is no uname->realm mapping available. The sss plugin can do this correctly I guess, but then again nsswitch.so cannot either if I read the source right.
