Trying to wrap my brain around user authentication for NFSv4

Discussion in 'Linux Networking' started by Andrew Gideon, Feb 22, 2014.

  1. I've an extremely heterogeneous environment, with many [virtual] hosts
    that have completely independent sets of users. That is, john@hostA and
    john@hostB are unrelated.

    With NFSv3, this is a non-issue. The NFS servers export different
    volumes to hostA and hostB, and the NFS clients use their UIDs as they
    would on local storage. Because there is no overlap between the volumes
    exported to the different NFS clients, this is not a problem.

    I'm not clear how to get this effect on NFSv4. It seems to presume a
    shared set of users over all NFS clients (even if the names and UIDs of a
    given user might differ from client to client). So where john@hostA
    might be the same user as johnsmith@hostB, NFSv4 maps these together well.

    Yet I cannot see how to get the effect I need, where the sets of users
    are independent.

    Am I missing something?

    Thanks...

    Andrew
     
    Andrew Gideon, Feb 22, 2014
    #1
    1. Advertisements

  2. nfs V4 has servious problems. The whole user/uid translation seems to
    both be buggy and to need a serious rethink. Mount your sites as version 3 (nfs option
    vers=3)
     
    William Unruh, Feb 22, 2014
    #2
    1. Advertisements

  3. Thanks, but this is already my fallback. I could also simply not serve
    NFSv4 from the server if I really decide to abandon NFSv4.

    I was hoping, though, to be able to switch to NFS4 at some point for a
    couple of reasons: the improved (perhaps?) ACL semantics and the single
    "port of entry" simplicity for firewalling.

    I lock down the various ports needed, rather than letting them float, so
    NFSv3 can be firewalled successfully. Simpler is better, though, so I
    was hoping that I'd be able to drop this.

    What serious problems does NFSv4 have? Is it just the issue with mixed/
    independent databases of users with which I've been struggling, or is
    there more?

    Thanks...

    Andrew
     
    Andrew Gideon, Feb 26, 2014
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.