Hello,
I'm seeking advice on configuring NFS to handle a specific scenario
where the server and client have an offset in their UID/GID values. On
the server, a UID/GID translates to a UID/GID + 10000 on the client
side.
Ideally, I'd like to avoid modifying server configurations or changing
client UIDs at this time.
My current approach involves utilizing the sec=sys option with an
offset to bridge this UID/GID gap. However, I'm unsure about the
effectiveness of this method and would appreciate any insights from
the community about how I could do this.
Here's a summary of the situation:
Problem: Server and client have a UID/GID offset (server UID/GID =
client UID/GID + 10000)
Goal: Configure NFS to handle this offset without server config
changes or client UID modifications.
Possible Solution (under consideration): Using sec=sys with an offset
in the mount options.
While alternative configurations like sec=krb5 functioned in a test
environment, modifying the server configuration is not preferred.
If anyone has experience with similar scenarios or can offer guidance
on using sec=sys with offsets for NFS, your expertise would be greatly
appreciated.
Thanks,
José Geraldo
On 9 Apr 2024, at 16:50, Zé Geraldo wrote:
> Hello,
>
> I'm seeking advice on configuring NFS to handle a specific scenario
> where the server and client have an offset in their UID/GID values. On
> the server, a UID/GID translates to a UID/GID + 10000 on the client
> side.
>
> Ideally, I'd like to avoid modifying server configurations or changing
> client UIDs at this time.
>
> My current approach involves utilizing the sec=sys option with an
> offset to bridge this UID/GID gap. However, I'm unsure about the
> effectiveness of this method and would appreciate any insights from
> the community about how I could do this.
>
> Here's a summary of the situation:
>
> Problem: Server and client have a UID/GID offset (server UID/GID =
> client UID/GID + 10000)
> Goal: Configure NFS to handle this offset without server config
> changes or client UID modifications.
> Possible Solution (under consideration): Using sec=sys with an offset
> in the mount options.
>
> While alternative configurations like sec=krb5 functioned in a test
> environment, modifying the server configuration is not preferred.
>
> If anyone has experience with similar scenarios or can offer guidance
> on using sec=sys with offsets for NFS, your expertise would be greatly
> appreciated.
>
> Thanks,
>
> José Geraldo
Hi José,
Have you looked into whether user namespaces on top of NFS can solve your
problem? I haven't specifically used them on NFS, but it might be an
existing tool you can build upon. When you set them up, you can specify a
mapping; see user_namespaces(7). A more in-depth explanation of how they
work is here:
https://docs.kernel.org/filesystems/idmappings.html#general-notes
You must know that sec=sys doesn't provide real security, though. As long
as a particular NFS client has sec=sys access to a server, processes on that
client can impersonate any UID/GID.
Ben