From: Tom Haynes <tdh@excfb.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: "Victor Mataré" <dreck@vmsd.ath.cx>, linux-nfs@vger.kernel.org
Subject: Re: numeric UIDs
Date: Tue, 17 Aug 2010 14:00:39 -0500 [thread overview]
Message-ID: <4C6ADC57.80802@excfb.com> (raw)
In-Reply-To: <20100817182400.GE23176@fieldses.org>
J. Bruce Fields wrote:
> On Tue, Aug 17, 2010 at 12:48:32PM -0500, Tom Haynes wrote:
>
>> J. Bruce Fields wrote:
>>
>>> On Tue, Aug 03, 2010 at 04:01:32AM +0200, Victor Mataré wrote:
>>>
>>>> Hello,
>>>>
>>>> I still hope I'm mistaken in assuming I have to go back to NFSv3
>>>> if I want to skip NFSv4 UID mapping altogether and just use the
>>>> numeric UIDs the way they're stored on-disk. However if that's
>>>> actually true, I'd like to try and make a case for implementing
>>>> an option to turn off UID mapping completely (or at least for
>>>> unknown UIDs). If this is already work in progress, just ignore
>>>> this mail.
>>>>
>>>> Thing is, the forced UID mapping seems to make tasks like
>>>> backing up data a little inconvenient. You might want to
>>>> preserve UIDs that are only known to the client.
>>>> But when you copy an entire root filesystem, it becomes outright
>>>> destructive, because the rootfs will probably have several
>>>> accounts that the server can't be expected know. Just imagine a
>>>> server that's used for maintenance (like backing up and
>>>> replacing hard drives) of random (foreign) systems. Idmapd will
>>>> map all unknown UIDs to a single value and thereby destroy that
>>>> information.
>>>>
>>>> I think I read somewhere
>>>>
>>> Pointer?
>>>
>>>
>> http://www.unix.com/man-page/OpenSolaris/4/nfs/
>>
>> If a domainname is still not obtained following all of the preceding
>> steps, nfsmapid will have no domain configured. This results in the
>> following behavior:
>>
>> o Outbound "owner" and "owner_group" attribute strings are
>> encoded as literal id's. For example, the UID 12345 is
>> encoded as 12345.
>>
>> o nfsmapid ignores the "domain" portion of the inbound
>> attribute string and performs name service lookups only for
>> the user or group. If the user/group exists in the local
>> system name service databases, then the proper uid/gid will
>> be mapped even when no domain has been configured.
>>
>> This behavior implies that the same administrative
>> user/group domain exists between NFSv4 client and server
>> (that is, the same uid/gid's for users/groups on both client
>> and server). In the case of overlapping id spaces, the
>> inbound attribute string could potentially be mapped to the
>> wrong id. However, this is not functionally different from
>> mapping the inbound string to nobody, yet provides greater
>> flexibility.
>>
>
> Thanks!
>
> So the server rejects any attempts to set a numeric uid?
>
No, only ones which do not have a valid mapping in /etc/passwd.
> That means the sort of dumb-backup scenario required above would, as in
> Linux, succeed over v3, but fail over v4?
>
Yes, it appears so.
> And have there been reports of users hitting that issue, or does it
> remain a completely hypothetical problem?
>
> --b.
>
It is all hypothetical. I think you would have to work pretty hard to
get a system in such a state.
And the key would be whether or not the admin populates the local
/etc/passwd.
next prev parent reply other threads:[~2010-08-17 19:01 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-03 2:01 numeric UIDs Victor Mataré
2010-08-03 16:43 ` Jim Rees
2010-08-03 19:22 ` J. Bruce Fields
2010-08-03 21:49 ` Daniel.Muntz
2010-08-03 21:57 ` Jim Rees
2010-08-03 22:15 ` Trond Myklebust
2010-08-03 22:23 ` J. Bruce Fields
2010-08-03 22:31 ` Trond Myklebust
2010-08-03 22:42 ` J. Bruce Fields
2010-08-04 2:02 ` Trond Myklebust
2010-08-04 17:06 ` David Brodbeck
2010-08-04 18:30 ` Andy Adamson
2010-08-04 21:32 ` David Brodbeck
2010-08-11 23:06 ` Neil Brown
2010-08-12 13:20 ` Andy Adamson
2010-08-11 23:10 ` Neil Brown
2010-08-05 15:34 ` J. Bruce Fields
2010-08-11 23:22 ` Neil Brown
2010-08-13 14:43 ` Steve Dickson
2010-08-13 16:31 ` J. Bruce Fields
2010-08-13 17:30 ` Steve Dickson
[not found] ` <4C658146.90207-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-13 17:37 ` J. Bruce Fields
2010-08-13 18:43 ` Chuck Lever
2010-08-17 17:46 ` Tom Haynes
2010-08-17 18:18 ` J. Bruce Fields
2010-08-17 18:43 ` Tom Haynes
2010-08-17 18:49 ` J. Bruce Fields
2010-08-17 19:21 ` J. Bruce Fields
[not found] ` <4C6559FA.5070809-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-16 8:30 ` Neil Brown
2010-08-13 14:40 ` Steve Dickson
2010-08-03 19:22 ` J. Bruce Fields
2010-08-17 17:48 ` Tom Haynes
2010-08-17 18:24 ` J. Bruce Fields
2010-08-17 19:00 ` Tom Haynes [this message]
2010-08-17 20:08 ` David Brodbeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C6ADC57.80802@excfb.com \
--to=tdh@excfb.com \
--cc=bfields@fieldses.org \
--cc=dreck@vmsd.ath.cx \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.