NFSv4 User ID Mapping: Solving UID/GID Mismatch Without LDAP or Kerberos


8 views

After setting up a new NFSv4 server, I encountered the classic UID/GID mismatch problem between server and client. Unlike NFSv3 which transmits numeric IDs, NFSv4 is supposed to handle user/group names - but in practice, this often fails without proper configuration.

In my test environment:


# Server users
user1@server:~$ id user1
uid=1000(user1) gid=1000(user1)
user1@server:~$ id user2
uid=1001(user2) gid=1001(user2)

# Client users (same usernames, different IDs)
user1@client:~$ id user1
uid=1001(user1) gid=1002(user1)

Files created on the client appear with incorrect ownership on the server:


# Client view
-rw-rw-r-- 1 user1 user1 0 nov  2 17:24 testfile

# Server view
-rw-rw-r-- 1 user2 1002 0 nov  2 17:24 testfile

First, ensure idmapd is properly configured on both systems:


# /etc/idmapd.conf (both server and client)
[General]
Domain = yourdomain.local
Pipefs-Directory = /run/rpc_pipefs

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

Critical kernel parameter settings:


# On server
echo "N" | sudo tee /sys/module/nfsd/parameters/nfs4_disable_idmapping

# On client
echo "N" | sudo tee /sys/module/nfs/parameters/nfs4_disable_idmapping

For environments where dynamic mapping fails, static mapping can be enforced:


# /etc/idmapd.conf addition
[Translation]
Method = static

[Static]
user1@yourdomain.local = user1
user2@yourdomain.local = user2

After configuration changes, always:


sudo systemctl restart nfs-server   # On server
sudo systemctl restart rpcidmapd    # On both systems
sudo nfsidmap -c                   # Clear existing mappings

Check active mappings with:


nfsidmap -d                        # Debug mode

For more complex environments, consider:


# /etc/exports example with security options
"/srv/nfs/test" 192.168.x.x(rw,sync,no_subtree_check,all_squash,anonuid=65534,anongid=65534)

Remember that NFSv4.1 and later versions offer improved idmapping features worth exploring.

When setting up NFSv4 between Linux systems with different UID/GID assignments but identical usernames, ownership translation fails despite idmapd configuration. Here's what happens under the hood:

# Client view (incorrect UID 1001 → correct username)
-rw-rw-r-- 1 user1 user1 0 nov  2 17:24 testfile

# Server view (wrong UID mapping)
-rw-rw-r-- 1 user2 1002 0 nov  2 17:24 testfile

First, verify your NFS version and idmapd status:

# On both server and client:
cat /proc/fs/nfsd/versions  # Should show +4
systemctl status nfs-idmapd # Service must be active

Create identical configurations on both systems:

# /etc/idmapd.conf
[General]
Domain = yourdomain.local
Pipefs-Directory = /run/rpc_pipefs

[Translation]
Method = nsswitch

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Static]
user1@yourdomain.local = user1
user2@yourdomain.local = user2

Essential sysctl tweaks for proper NFSv4 operation:

# On client:
echo "N" | sudo tee /sys/module/nfs/parameters/nfs4_disable_idmapping

# On server:
echo "N" | sudo tee /sys/module/nfsd/parameters/nfs4_disable_idmapping

After applying changes, verify the mapping:

# Clear existing mappings
sudo nfsidmap -c

# Test with getfacl
touch /mnt/nfs/testfile
getfacl /mnt/nfs/testfile

If you see 4294967294 (2^32-2) in listings:

# Check rpc.idmapd logs
journalctl -u nfs-idmapd --no-pager -n 50

# Verify keyring exists
ls -l /proc/keys

Make changes survive reboots:

# /etc/modprobe.d/nfs.conf
options nfs nfs4_disable_idmapping=0
options nfsd nfs4_disable_idmapping=0

For small deployments, explicit mapping works well:

# /etc/idmapd.conf
[Static]
user1@domain = 1000
user2@domain = 1001