Problem identified! Those users that have a uid on the client, and not any uid on the server, will pass as uid and correctly mapped by the client. Those users that have a same uid on client &server, but different meanings (e.g. 102 is user pf on the server, and user vscan on the client), will be mapped into nobody......... Problem is I can't go and change uids on servers or clients to have them in different zone numbers... Is there anyway I can force the server or the client to send just uids or not map it into nobody in this case? Thanx. ---------------------------------------------------------------------------------- Da: Joshua M. Clulow A: Discussion list for OpenIndiana Data: 28 settembre 2011 1.57.46 CEST Oggetto: Re: [OpenIndiana-discuss] NFS4 users On 27 July 2011 03:51, David Brodbeck wrote: As far as I know this isn't possible with NFSv4. The NFSv4 spec requires sending names, not uid numbers, over the wire. If the server and client can't agree on the name, it won't work. NFSv3 sends uid numbers over the wire, so it doesn't have this requirement. If you're using AUTH_SYS, I don't think this is quite right. NFSv4 defines owner and groupowner as string fields usually of the form "user@domain" for metadata operations like chown, certainly. It also defines potential fallback behaviour if the owner or groupowner string contains the UTF8 string presentation of a number, which is just to use the number. Whether or not this fallback numeric behaviour can be used depends on the ID mapper in both the server and the client. When using AUTH_SYS the RPC authentication part of the protocol is as it was in NFSv3 and earlier. A uid number, primary gid number and an array of sixteen secondary gid numbers is still sent and used to determine the identity of the user performing, for example, an open() or the writing of data. In practice I think this means that with NFSv4 + AUTH_SYS you actually need user name *and* uidnumber synchronisation between server and client. If you use Kerberos instead then the RPC authentication data is a Kerberos principal rather than a uidnumber and the AUTH_SYS constraints -- including a maximum of sixteen secondary group memberships -- no longer apply. NB: It's been at least 6 months since I read through the RFC (and a bunch of code) while chasing down similar issues at a University. -- Joshua M. Clulow UNIX Admin/Developer http://blog.sysmgr.org _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
