0001 =============
0002 NFS ID Mapper
0003 =============
0004
0005 Id mapper is used by NFS to translate user and group ids into names, and to
0006 translate user and group names into ids. Part of this translation involves
0007 performing an upcall to userspace to request the information. There are two
0008 ways NFS could obtain this information: placing a call to /sbin/request-key
0009 or by placing a call to the rpc.idmap daemon.
0010
0011 NFS will attempt to call /sbin/request-key first. If this succeeds, the
0012 result will be cached using the generic request-key cache. This call should
0013 only fail if /etc/request-key.conf is not configured for the id_resolver key
0014 type, see the "Configuring" section below if you wish to use the request-key
0015 method.
0016
0017 If the call to /sbin/request-key fails (if /etc/request-key.conf is not
0018 configured with the id_resolver key type), then the idmapper will ask the
0019 legacy rpc.idmap daemon for the id mapping. This result will be stored
0020 in a custom NFS idmap cache.
0021
0022
0023 Configuring
0024 ===========
0025
0026 The file /etc/request-key.conf will need to be modified so /sbin/request-key can
0027 direct the upcall. The following line should be added:
0028
0029 ``#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...``
0030 ``#====== ======= =============== =============== ===============================``
0031 ``create id_resolver * * /usr/sbin/nfs.idmap %k %d 600``
0032
0033
0034 This will direct all id_resolver requests to the program /usr/sbin/nfs.idmap.
0035 The last parameter, 600, defines how many seconds into the future the key will
0036 expire. This parameter is optional for /usr/sbin/nfs.idmap. When the timeout
0037 is not specified, nfs.idmap will default to 600 seconds.
0038
0039 id mapper uses for key descriptions::
0040
0041 uid: Find the UID for the given user
0042 gid: Find the GID for the given group
0043 user: Find the user name for the given UID
0044 group: Find the group name for the given GID
0045
0046 You can handle any of these individually, rather than using the generic upcall
0047 program. If you would like to use your own program for a uid lookup then you
0048 would edit your request-key.conf so it look similar to this:
0049
0050 ``#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...``
0051 ``#====== ======= =============== =============== ===============================``
0052 ``create id_resolver uid:* * /some/other/program %k %d 600``
0053 ``create id_resolver * * /usr/sbin/nfs.idmap %k %d 600``
0054
0055
0056 Notice that the new line was added above the line for the generic program.
0057 request-key will find the first matching line and corresponding program. In
0058 this case, /some/other/program will handle all uid lookups and
0059 /usr/sbin/nfs.idmap will handle gid, user, and group lookups.
0060
0061 See Documentation/security/keys/request-key.rst for more information
0062 about the request-key function.
0063
0064
0065 nfs.idmap
0066 =========
0067
0068 nfs.idmap is designed to be called by request-key, and should not be run "by
0069 hand". This program takes two arguments, a serialized key and a key
0070 description. The serialized key is first converted into a key_serial_t, and
0071 then passed as an argument to keyctl_instantiate (both are part of keyutils.h).
0072
0073 The actual lookups are performed by functions found in nfsidmap.h. nfs.idmap
0074 determines the correct function to call by looking at the first part of the
0075 description string. For example, a uid lookup description will appear as
0076 "uid:user@domain".
0077
0078 nfs.idmap will return 0 if the key was instantiated, and non-zero otherwise.
