nfs 关联工具

1 nfsidmap

1.1 影响

挂载 NFS4 后，如果用户 user01 新建文件 file1，NFS 客户端显示文件所属用户是 nobody，而在 NFS Server 本地显示为其它用户。 NFS v4 以 username@domainname 的形式在服务器和客户端之间传递身份。简单来说，在带有 idmapd 的 NFS v4 中，相同的 username@domainname 必须被双方识别，否则将被映射为 nobody 。

1.2 概念

nfsidmap 是在类 Unix 操作系统中使用的一个实用程序，用于在不同命名系统之间映射用户和组标识符（UID 和 GID）。它通常与 NFS（网络文件系统）一起使用，以在访问远程 NFS 服务器上的文件和目录时解析用户和组名称为它们对应的数字标识符。

以下是 nfsidmap 通常的工作方式：

1. 用户和组映射： 当客户端系统上的用户或应用程序访问 NFS 服务器上的文件或目录时，NFS 使用数字 UID 和 GID 来识别用户和组。但是，客户端系统可能对这些用户和组使用不同的名称。nfsidmap 负责在两个命名系统之间进行映射。
2. ID 映射服务： nfsidmap 可以使用各种来源执行映射。它可能会查看客户端系统上的文件，如 /etc/passwd 和 /etc/group，以在名称和数字 ID 之间进行映射。或者，它可以使用外部 ID 映射服务，如 NIS（网络信息服务）或 LDAP（轻量级目录访问协议）来解析这些映射。
3. 映射缓存： 为了提高性能并减少 ID 映射服务的负载，nfsidmap 通常会缓存它已解析的映射。这个缓存有助于避免为相同的用户和组重复查找映射。
4. 挂载选项： 在客户端上，NFS 挂载可以具有诸如 nfsvers、sec 和 nfsidmap 之类的选项，用于控制 NFS 操作的各个方面，包括 ID 映射。这些选项可以在 /etc/fstab 文件中配置，或者在挂载 NFS 共享时作为命令行参数提供。

以下是一个使用 nfsidmap 的 NFS 挂载命令示例：

mount -t nfs -o nfsvers=4,sec=krb5,nfsidmap=both server:/shared_directory /mnt/nfs_mount

在这个命令中，nfsidmap=both 指示 NFS 客户端同时使用本地文件（例如 /etc/passwd）和任何外部 ID 映射服务（例如 NIS 或 LDAP）进行 ID 解析。

1.3 配置文件/etc/idmapd.conf

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu

# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
# local realm, such that <user>@REALM.A can be assumed to
# be the same user as <user>@REALM.B
# If not specified, the default local realm is the domain name,
# which defaults to the host's DNS domain name,
# translated to upper-case.
# Note that if this value is specified, the local realm name
# must be included in the list!
#Local-Realms = 

[Mapping]

#Nobody-User = nobody
#Nobody-Group = nobody

[Translation]

# Translation Method is an comma-separated, ordered list of
# translation methods that can be used.  Distributed methods
# include "nsswitch", "umich_ldap", and "static".  Each method
# is a dynamically loadable plugin library.
# New methods may be defined and inserted in the list.
# The default is "nsswitch".
#Method = nsswitch

# Optional.  This is a comma-separated, ordered list of
# translation methods to be used for translating GSS
# authenticated names to ids.
# If this option is omitted, the same methods as those
# specified in "Method" are used.
#GSS-Methods = <alternate method list for translating GSS names>

#-------------------------------------------------------------------#
# The following are used only for the "static" Translation Method.
#-------------------------------------------------------------------#
[Static]

# A "static" list of GSS-Authenticated names to
# local user name mappings

#someuser@REALM = localuser


#-------------------------------------------------------------------#
# The following are used only for the "umich_ldap" Translation Method.
#-------------------------------------------------------------------#

[UMICH_SCHEMA]

# server information (REQUIRED)
LDAP_server = ldap-server.local.domain.edu

# the default search base (REQUIRED)
LDAP_base = dc=local,dc=domain,dc=edu

#-----------------------------------------------------------#
# The remaining options have defaults (as shown)
# and are therefore not required.
#-----------------------------------------------------------#

# whether or not to perform canonicalization on the
# name given as LDAP_server
#LDAP_canonicalize_name = true

# absolute search base for (people) accounts
#LDAP_people_base = <LDAP_base>

# absolute search base for groups
#LDAP_group_base = <LDAP_base>

# Set to true to enable SSL - anything else is not enabled
#LDAP_use_ssl = false

# You must specify a CA certificate location if you enable SSL
#LDAP_ca_cert = /etc/ldapca.cert

# Objectclass mapping information

# Mapping for the person (account) object class
#NFSv4_person_objectclass = NFSv4RemotePerson

# Mapping for the nfsv4name attribute the person object
#NFSv4_name_attr = NFSv4Name

# Mapping for the UID number
#NFSv4_uid_attr = UIDNumber

# Mapping for the GSSAPI Principal name
#GSS_principal_attr = GSSAuthName

# Mapping for the account name attribute (usually uid)
# The value for this attribute must match the value of 
# the group member attribute - NFSv4_member_attr
#NFSv4_acctname_attr = uid

# Mapping for the group object class
#NFSv4_group_objectclass = NFSv4RemoteGroup

# Mapping for the GID attribute
#NFSv4_gid_attr = GIDNumber

# Mapping for the Group NFSv4 name
#NFSv4_group_attr = NFSv4Name

# Mapping for the Group member attribute (usually memberUID)
# The value of this attribute must match the value of NFSv4_acctname_attr
#NFSv4_member_attr = memberUID