nfs-idmapper.rst 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
  1. =============
  2. NFS ID Mapper
  3. =============
  4. Id mapper is used by NFS to translate user and group ids into names, and to
  5. translate user and group names into ids. Part of this translation involves
  6. performing an upcall to userspace to request the information. There are two
  7. ways NFS could obtain this information: placing a call to /sbin/request-key
  8. or by placing a call to the rpc.idmap daemon.
  9. NFS will attempt to call /sbin/request-key first. If this succeeds, the
  10. result will be cached using the generic request-key cache. This call should
  11. only fail if /etc/request-key.conf is not configured for the id_resolver key
  12. type, see the "Configuring" section below if you wish to use the request-key
  13. method.
  14. If the call to /sbin/request-key fails (if /etc/request-key.conf is not
  15. configured with the id_resolver key type), then the idmapper will ask the
  16. legacy rpc.idmap daemon for the id mapping. This result will be stored
  17. in a custom NFS idmap cache.
  18. Configuring
  19. ===========
  20. The file /etc/request-key.conf will need to be modified so /sbin/request-key can
  21. direct the upcall. The following line should be added:
  22. ``#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...``
  23. ``#====== ======= =============== =============== ===============================``
  24. ``create id_resolver * * /usr/sbin/nfs.idmap %k %d 600``
  25. This will direct all id_resolver requests to the program /usr/sbin/nfs.idmap.
  26. The last parameter, 600, defines how many seconds into the future the key will
  27. expire. This parameter is optional for /usr/sbin/nfs.idmap. When the timeout
  28. is not specified, nfs.idmap will default to 600 seconds.
  29. id mapper uses for key descriptions::
  30. uid: Find the UID for the given user
  31. gid: Find the GID for the given group
  32. user: Find the user name for the given UID
  33. group: Find the group name for the given GID
  34. You can handle any of these individually, rather than using the generic upcall
  35. program. If you would like to use your own program for a uid lookup then you
  36. would edit your request-key.conf so it look similar to this:
  37. ``#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...``
  38. ``#====== ======= =============== =============== ===============================``
  39. ``create id_resolver uid:* * /some/other/program %k %d 600``
  40. ``create id_resolver * * /usr/sbin/nfs.idmap %k %d 600``
  41. Notice that the new line was added above the line for the generic program.
  42. request-key will find the first matching line and corresponding program. In
  43. this case, /some/other/program will handle all uid lookups and
  44. /usr/sbin/nfs.idmap will handle gid, user, and group lookups.
  45. See Documentation/security/keys/request-key.rst for more information
  46. about the request-key function.
  47. nfs.idmap
  48. =========
  49. nfs.idmap is designed to be called by request-key, and should not be run "by
  50. hand". This program takes two arguments, a serialized key and a key
  51. description. The serialized key is first converted into a key_serial_t, and
  52. then passed as an argument to keyctl_instantiate (both are part of keyutils.h).
  53. The actual lookups are performed by functions found in nfsidmap.h. nfs.idmap
  54. determines the correct function to call by looking at the first part of the
  55. description string. For example, a uid lookup description will appear as
  56. "uid:user@domain".
  57. nfs.idmap will return 0 if the key was instantiated, and non-zero otherwise.