Configuring NFS with UID/GID Offset (sec=sys approach)

Configuring NFS with UID/GID Offset (sec=sys approach)

[Zé Geraldo]

Hello,

I'm seeking advice on configuring NFS to handle a specific scenario
where the server and client have an offset in their UID/GID values. On
the server, a UID/GID translates to a UID/GID + 10000 on the client
side.

Ideally, I'd like to avoid modifying server configurations or changing
client UIDs at this time.

My current approach involves utilizing the sec=sys option with an
offset to bridge this UID/GID gap. However, I'm unsure about the
effectiveness of this method and would appreciate any insights from
the community about how I could do this.

Here's a summary of the situation:

Problem: Server and client have a UID/GID offset (server UID/GID =
client UID/GID + 10000)
Goal: Configure NFS to handle this offset without server config
changes or client UID modifications.
Possible Solution (under consideration): Using sec=sys with an offset
in the mount options.

While alternative configurations like sec=krb5 functioned in a test
environment, modifying the server configuration is not preferred.

If anyone has experience with similar scenarios or can offer guidance
on using sec=sys with offsets for NFS, your expertise would be greatly
appreciated.

Thanks,

José Geraldo

Re: Configuring NFS with UID/GID Offset (sec=sys approach)

[Benjamin Coddington]

On 9 Apr 2024, at 16:50, Zé Geraldo wrote:

> Hello,
>
> I'm seeking advice on configuring NFS to handle a specific scenario
> where the server and client have an offset in their UID/GID values. On
> the server, a UID/GID translates to a UID/GID + 10000 on the client
> side.
>
> Ideally, I'd like to avoid modifying server configurations or changing
> client UIDs at this time.
>
> My current approach involves utilizing the sec=sys option with an
> offset to bridge this UID/GID gap. However, I'm unsure about the
> effectiveness of this method and would appreciate any insights from
> the community about how I could do this.
>
> Here's a summary of the situation:
>
> Problem: Server and client have a UID/GID offset (server UID/GID =
> client UID/GID + 10000)
> Goal: Configure NFS to handle this offset without server config
> changes or client UID modifications.
> Possible Solution (under consideration): Using sec=sys with an offset
> in the mount options.
>
> While alternative configurations like sec=krb5 functioned in a test
> environment, modifying the server configuration is not preferred.
>
> If anyone has experience with similar scenarios or can offer guidance
> on using sec=sys with offsets for NFS, your expertise would be greatly
> appreciated.
>
> Thanks,
>
> José Geraldo

Hi José,

Have you looked into whether user namespaces on top of NFS can solve your
problem?  I haven't specifically used them on NFS, but it might be an
existing tool you can build upon.  When you set them up, you can specify a
mapping; see user_namespaces(7).  A more in-depth explanation of how they
work is here:
https://docs.kernel.org/filesystems/idmappings.html#general-notes

You must know that sec=sys doesn't provide real security, though.  As long
as a particular NFS client has sec=sys access to a server, processes on that
client can impersonate any UID/GID.

Ben