• Trying to wrap my brain around user authentication for NFSv4

    From Andrew Gideon@110:110/2002 to All on Sat Feb 22 03:58:38 2014

    I've an extremely heterogeneous environment, with many [virtual] hosts
    that have completely independent sets of users. That is, john@hostA and john@hostB are unrelated.

    With NFSv3, this is a non-issue. The NFS servers export different
    volumes to hostA and hostB, and the NFS clients use their UIDs as they
    would on local storage. Because there is no overlap between the volumes exported to the different NFS clients, this is not a problem.

    I'm not clear how to get this effect on NFSv4. It seems to presume a
    shared set of users over all NFS clients (even if the names and UIDs of a given user might differ from client to client). So where john@hostA
    might be the same user as johnsmith@hostB, NFSv4 maps these together well.

    Yet I cannot see how to get the effect I need, where the sets of users
    are independent.

    Am I missing something?

    Thanks...

    Andrew

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: UsenetServer - www.usenetserver.com (110:110/2002@linuxnet)
  • From William Unruh@110:110/2002 to All on Sat Feb 22 17:53:34 2014
    On 2014-02-22, Andrew Gideon <c182driver9@gideon.org> wrote:

    I've an extremely heterogeneous environment, with many [virtual] hosts
    that have completely independent sets of users. That is, john@hostA and john@hostB are unrelated.

    With NFSv3, this is a non-issue. The NFS servers export different
    volumes to hostA and hostB, and the NFS clients use their UIDs as they
    would on local storage. Because there is no overlap between the volumes exported to the different NFS clients, this is not a problem.

    I'm not clear how to get this effect on NFSv4. It seems to presume a
    shared set of users over all NFS clients (even if the names and UIDs of a given user might differ from client to client). So where john@hostA
    might be the same user as johnsmith@hostB, NFSv4 maps these together well.

    Yet I cannot see how to get the effect I need, where the sets of users
    are independent.

    Am I missing something?

    Thanks...

    Andrew

    nfs V4 has servious problems. The whole user/uid translation seems to
    both be buggy and to need a serious rethink. Mount your sites as version 3 (nfs option
    vers=3)



    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Joe Beanfish@110:110/2002 to All on Sun Feb 23 20:28:47 2014
    On Sat, 22 Feb 2014 03:58:38 +0000, Andrew Gideon wrote:

    I've an extremely heterogeneous environment, with many [virtual] hosts
    that have completely independent sets of users. That is, john@hostA and john@hostB are unrelated.

    With NFSv3, this is a non-issue. The NFS servers export different
    volumes to hostA and hostB, and the NFS clients use their UIDs as they
    would on local storage. Because there is no overlap between the volumes exported to the different NFS clients, this is not a problem.

    I'm not clear how to get this effect on NFSv4. It seems to presume a
    shared set of users over all NFS clients (even if the names and UIDs of
    a given user might differ from client to client). So where john@hostA
    might be the same user as johnsmith@hostB, NFSv4 maps these together
    well.

    Yet I cannot see how to get the effect I need, where the sets of users
    are independent.

    I don't know how to do what you want with nfsv4. But if you want nfsv3
    behavior try mounting as nfsv3 using the nfsvers=3 option in mount or
    fstab.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Andrew Gideon@110:110/2002 to All on Wed Feb 26 14:10:49 2014
    On Sat, 22 Feb 2014 17:53:34 +0000, William Unruh wrote:

    nfs V4 has servious problems. The whole user/uid translation seems to
    both be buggy and to need a serious rethink. Mount your sites as
    version 3 (nfs option vers=3)

    Thanks, but this is already my fallback. I could also simply not serve
    NFSv4 from the server if I really decide to abandon NFSv4.

    I was hoping, though, to be able to switch to NFS4 at some point for a
    couple of reasons: the improved (perhaps?) ACL semantics and the single
    "port of entry" simplicity for firewalling.

    I lock down the various ports needed, rather than letting them float, so
    NFSv3 can be firewalled successfully. Simpler is better, though, so I
    was hoping that I'd be able to drop this.

    What serious problems does NFSv4 have? Is it just the issue with mixed/ independent databases of users with which I've been struggling, or is
    there more?

    Thanks...

    Andrew

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: UsenetServer - www.usenetserver.com (110:110/2002@linuxnet)