From: Tom Haynes <tdh@excfb.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: "Victor Mataré" <dreck@vmsd.ath.cx>, linux-nfs@vger.kernel.org
Subject: Re: numeric UIDs
Date: Tue, 17 Aug 2010 14:00:39 -0500 [thread overview]
Message-ID: <4C6ADC57.80802@excfb.com> (raw)
In-Reply-To: <20100817182400.GE23176@fieldses.org>
J. Bruce Fields wrote:
> On Tue, Aug 17, 2010 at 12:48:32PM -0500, Tom Haynes wrote:
>
>> J. Bruce Fields wrote:
>>
>>> On Tue, Aug 03, 2010 at 04:01:32AM +0200, Victor Mataré wrote:
>>>
>>>> Hello,
>>>>
>>>> I still hope I'm mistaken in assuming I have to go back to NFSv3
>>>> if I want to skip NFSv4 UID mapping altogether and just use the
>>>> numeric UIDs the way they're stored on-disk. However if that's
>>>> actually true, I'd like to try and make a case for implementing
>>>> an option to turn off UID mapping completely (or at least for
>>>> unknown UIDs). If this is already work in progress, just ignore
>>>> this mail.
>>>>
>>>> Thing is, the forced UID mapping seems to make tasks like
>>>> backing up data a little inconvenient. You might want to
>>>> preserve UIDs that are only known to the client.
>>>> But when you copy an entire root filesystem, it becomes outright
>>>> destructive, because the rootfs will probably have several
>>>> accounts that the server can't be expected know. Just imagine a
>>>> server that's used for maintenance (like backing up and
>>>> replacing hard drives) of random (foreign) systems. Idmapd will
>>>> map all unknown UIDs to a single value and thereby destroy that
>>>> information.
>>>>
>>>> I think I read somewhere
>>>>
>>> Pointer?
>>>
>>>
>> http://www.unix.com/man-page/OpenSolaris/4/nfs/
>>
>> If a domainname is still not obtained following all of the preceding
>> steps, nfsmapid will have no domain configured. This results in the
>> following behavior:
>>
>> o Outbound "owner" and "owner_group" attribute strings are
>> encoded as literal id's. For example, the UID 12345 is
>> encoded as 12345.
>>
>> o nfsmapid ignores the "domain" portion of the inbound
>> attribute string and performs name service lookups only for
>> the user or group. If the user/group exists in the local
>> system name service databases, then the proper uid/gid will
>> be mapped even when no domain has been configured.
>>
>> This behavior implies that the same administrative
>> user/group domain exists between NFSv4 client and server
>> (that is, the same uid/gid's for users/groups on both client
>> and server). In the case of overlapping id spaces, the
>> inbound attribute string could potentially be mapped to the
>> wrong id. However, this is not functionally different from
>> mapping the inbound string to nobody, yet provides greater
>> flexibility.
>>
>
> Thanks!
>
> So the server rejects any attempts to set a numeric uid?
>
No, only ones which do not have a valid mapping in /etc/passwd.
> That means the sort of dumb-backup scenario required above would, as in
> Linux, succeed over v3, but fail over v4?
>
Yes, it appears so.
> And have there been reports of users hitting that issue, or does it
> remain a completely hypothetical problem?
>
> --b.
>
It is all hypothetical. I think you would have to work pretty hard to
get a system in such a state.
And the key would be whether or not the admin populates the local
/etc/passwd.
next prev parent reply other threads:[~2010-08-17 19:01 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-03 2:01 numeric UIDs Victor Mataré
2010-08-03 16:43 ` Jim Rees
2010-08-03 19:22 ` J. Bruce Fields
2010-08-03 21:49 ` Daniel.Muntz
2010-08-03 21:57 ` Jim Rees
2010-08-03 22:15 ` Trond Myklebust
2010-08-03 22:23 ` J. Bruce Fields
2010-08-03 22:31 ` Trond Myklebust
2010-08-03 22:42 ` J. Bruce Fields
2010-08-04 2:02 ` Trond Myklebust
2010-08-04 17:06 ` David Brodbeck
2010-08-04 18:30 ` Andy Adamson
2010-08-04 21:32 ` David Brodbeck
2010-08-11 23:06 ` Neil Brown
2010-08-12 13:20 ` Andy Adamson
2010-08-11 23:10 ` Neil Brown
2010-08-05 15:34 ` J. Bruce Fields
2010-08-11 23:22 ` Neil Brown
2010-08-13 14:43 ` Steve Dickson
2010-08-13 16:31 ` J. Bruce Fields
2010-08-13 17:30 ` Steve Dickson
[not found] ` <4C658146.90207-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-13 17:37 ` J. Bruce Fields
2010-08-13 18:43 ` Chuck Lever
2010-08-17 17:46 ` Tom Haynes
2010-08-17 18:18 ` J. Bruce Fields
2010-08-17 18:43 ` Tom Haynes
2010-08-17 18:49 ` J. Bruce Fields
2010-08-17 19:21 ` J. Bruce Fields
[not found] ` <4C6559FA.5070809-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-16 8:30 ` Neil Brown
2010-08-13 14:40 ` Steve Dickson
2010-08-03 19:22 ` J. Bruce Fields
2010-08-17 17:48 ` Tom Haynes
2010-08-17 18:24 ` J. Bruce Fields
2010-08-17 19:00 ` Tom Haynes [this message]
2010-08-17 20:08 ` David Brodbeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C6ADC57.80802@excfb.com \
--to=tdh@excfb.com \
--cc=bfields@fieldses.org \
--cc=dreck@vmsd.ath.cx \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).