NFS shared directory permission (rhel6)

Tom H tomh0665 at gmail.com
Tue Aug 2 17:05:08 UTC 2011 

2011/8/1 夜神 岩男 <supergiantpotato at yahoo.co.jp>:


> You can achieve the same user and group permissions on the clients as on
> the server, but you have to create the users and groups on the server
> side to get this and you must use some form of authentication across the
> network. The server exports the user names and group names, not the
> numbers, so a translation must occur within rpc.idmapd as well. Its not
> as hard as it sounds -- most of it "just works" once you set up
> authentication.
>
> This can happen through the /etc/passwd and /etc/groups files, using
> them as a local directory (which is easy, because this is already the
> default -- in a directory-enabled environment this is easier to maintain
> over the long run, though).
>
> Create the users and groups on the server that exist on your clients.
> Don't worry about the UID and GID numbers matching, they don't need to.
> Make sure the user and group names are the same, though.
>
> Then make sure that you do:
> setsebool -P nfs_export_all_ro=0
> setsebool -P nfs_export_all_rw=1
>
> and that in your /etc/exports you have the correct permissions declared
> for the export. It is also easier to manage a lot of shares if you are
> using the fsid=0 style export directory trees, though I don't think this
> is strictly necessary.
>
> And, critically... you must pick an authentication mechanism that
> rpc.idmapd likes.
>
> The easiest one is Kerberos, and its really not that difficult to set
> up. Once a Kerberos ticket exists for authentication, then the NFS
> server will believe that you're really user at EXAMPLE.COM and that the
> system you're on is really host/client.example.com at EXAMPLE.COM with a
> valid credential to use nfs/client.example.com at EXAMPLE.COM at
> nfs/server.example.com at EXAMPLE.COM and pass UID/GID information to the
> client.
>
> You don't really *need* directory services like LDAP or NIS, but without
> using authentication I don't think there is a way to get NFSv4 to pass
> UID/GID information.

NFSv4 works without Kerberos or LDAP/NIS/NIS+.

The username and idmapd domain have to match (perhaps the UID too but
I've never tried different UIDs as you suggest above and the
description of idmapd does say that the ID is sent as
username at domain).

More information about the users mailing list