From owner-freebsd-current@freebsd.org  Sat Sep 19 01:29:28 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9426C3F6EE6
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Sat, 19 Sep 2020 01:29:28 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com
 (mail-eopbgr660087.outbound.protection.outlook.com [40.107.66.87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BtY5f5GQCz4Q6B
 for <freebsd-current@freebsd.org>; Sat, 19 Sep 2020 01:29:26 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=dbvmuK1LUefOpaD5FHt3oB4ra7HkDjXYEXdAEP2QfxR1AQGSzXV7zrzLxdxLDoXwfD9arNhCDz5JKrdxsqY+htVDuKBibPA0JBJ/VIx2HUOr3cfdzleLvGCXAdkYjNnPNYrjr5ko+l1yZM7Y3v0y9Fin4tPv2aEBJ3SmEq0g7u8NXO92KS56b5lzZXG1uy7Samk+RSLGCLJ6Pou8vulV9LplzwKTNMUa90+K7R438LQssndLuFQ0yITpr2ftJcxCWS/T94d2t+a9lIUqbDNFUNdUG15aXwk7NdzlxPIvrT+8Ls+Id0oH5KgN7J19esV0JJ1ibWXoQAlnS6i0LL8G+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RrJgLnx958G7YO0/jKZWQevpYcKtAJ8fHm+kR29uJ9Y=;
 b=nJDmlGhEIYfRsArw35drElHZ5jlE6xUCE1QiQrpBYxGxX3vV2c1jxF2n4awdzJfpWdBL/tZUY+HRxJ5G5b7JhNU9hushT/0B7PSWJLe0R7imF8ybZGNj1Gb563UdUOQjAjpwtALNIwPrf9AsSbvYs+wO1/dFQ+WX9+qPKlE3OX6Qn9JN7CqwdmFJju2pnJchyKAV8+92/mj7i0Wb4pOKx4Y895e6FIkqOyH9yRCV529mmtT7ZNOvDlAUBileUaHG6sGmFJ4OataNZP6HSyBqndIHbuXqqTAK7noMH08PyLHE3hNDa09IXlt83CGdAuTwJB/CDJUpIQgiqzSN01KeFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca;
 dkim=pass header.d=uoguelph.ca; arc=none
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:24::27)
 by YTBPR01MB2912.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:18::12)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.19; Sat, 19 Sep
 2020 01:29:25 +0000
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20]) by YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20%6]) with mapi id 15.20.3391.014; Sat, 19 Sep 2020
 01:29:24 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "Russell L. Carter" <rcarter@pinyon.org>, "freebsd-current@freebsd.org"
 <freebsd-current@freebsd.org>
Subject: Re: Documentation regarding NFSv4
Thread-Topic: Documentation regarding NFSv4
Thread-Index: AQHWje0ADCDVEU1HgUOgviWAKyD/+KlvBqx2gAADBWWAAAxZgIAAEiCD
Date: Sat, 19 Sep 2020 01:29:24 +0000
Message-ID: <YTBPR01MB3966A098729DE30BE1654D5FDD3C0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
References: <20200918185319.7o27ciyviwdyhr7v@mutt-hbsd>
 <YTBPR01MB3966AFCC1828D45D85041BF5DD3F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
 <YTBPR01MB3966BDEAE81A05586086E345DD3F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>,
 <df6efc1a-8389-be69-a5c5-b2c63e8c8cc1@pinyon.org>
In-Reply-To: <df6efc1a-8389-be69-a5c5-b2c63e8c8cc1@pinyon.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5807c27c-d034-40ed-a35f-08d85c3b7177
x-ms-traffictypediagnostic: YTBPR01MB2912:
x-microsoft-antispam-prvs: <YTBPR01MB2912A0BA38EEFB4507163E4DDD3C0@YTBPR01MB2912.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BbEv0GqPiueikxOCh0emB91jMC71q0xRiKUM0pe9EsOqY3Hl65Hn30lsjt95ttgE6kr4REOFfOZB8BUvmaKrQOEr0J+BTtbOqMClgvgIBID2cC9A5676tebEgphgMzrYvntnAFa8lcn4oO7FBIo/0Hn0JgmFVl4IOWFUchwowYWJny2xcjwN1RfHF0chPoQpRjmojdn/A7iuP/8MrlXH4tp/9Xm7AXPo1BYwpPaCZYPoCemmhKUJ0SAP2tk0B/4XduVnPcN/j5l/jN1pZ8R0jVgScZBOmBiLrh1vhTvsiUbiEIzp/WNei/xg7pKSnd9baWP9hg6HcuAgADBjU0CWvuFLu+ScDqcVFXg2DGPuQrUvjCWdzFiNdaq++Gud8AIalByn3Td5MYrc7gzFzbyeLg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(396003)(39860400002)(366004)(136003)(376002)(346002)(7696005)(316002)(786003)(110136005)(2906002)(478600001)(86362001)(966005)(91956017)(76116006)(52536014)(66476007)(66556008)(64756008)(66446008)(66946007)(55016002)(6506007)(71200400001)(186003)(33656002)(8936002)(9686003)(8676002)(7116003)(5660300002);
 DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata: nc0o27bfYmZKJck1SDCFVrksYpiQ6EVgID4fLhrlOI0PvYNUbuD/nnWGqoVCXbPZ7SuTfVmztjkJYkkWWOY+TU0OdCvEu8vy1sYLQlsLuGD77Gj7G1ddkD4LBprLPrN0sQD+Zy8rcL4HgxZErpowK9QeytO8pN0BD7RjNNcAzT1a3rPP4XWGnO1UcUYfNugZUFLZf3MnTKlDUHKiRjSpaq5Mbr3hrPAdng9lsAHtDmt7b/J+tqtLh1lzGm+Sw6DDM3xHVXBZK3JOrCV2DAT/nEryBHuf610XHk+AJLVcZK2+w7X8pLINIFqJpYu5lBnuq9HoaoFDvIXr9j1DP4rXtIPYdaQkvsQ6KFRtyoNPdvV4lrKjXZfW9UVICdjiaQipAOCYEnM5v+Ccm52xHGIi8Qlf5kGV/Jq2Y9bJ88tUViAfdrY+X/z4hC/WlRsPfgVNZD7S5ebsd+vfir2f9Xh03Z1NgYJtRkaAyezMRzW61E19QAkbhTTwNu9Zj4rqI9Gxgi+Low0Z9Vy6JexnLwn4PWQ6aRx7DSSyrEUhbZ/PjFpnaZ6F6Ax8ASuOsz5Bzgdoa6Vq46EIdFMTJ3bk+hxDAy4UXlCz6FbZE7K+iLeJjYx7ZBvtqNfbFTV85P6YydTMgDq5ckYtUTG5c61SATVoNLzgu2yr+oWazCtQTftwlIpPFrP7PDMVV07jkFKd4e13gtvtkx8ydq4SOUs5iYB1og==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5807c27c-d034-40ed-a35f-08d85c3b7177
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2020 01:29:24.8267 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /7xOReX17Z+pQFGLYrEklvxFTXFzoCP7XbbuRv+C4W7+gP3AE6VsalkKhmPe+napF2EQf/9eASX74YLteCr2Pw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB2912
X-Rspamd-Queue-Id: 4BtY5f5GQCz4Q6B
X-Spamd-Bar: ------
X-Spamd-Result: default: False [-6.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 NEURAL_HAM_MEDIUM(-1.01)[-1.011];
 R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1];
 FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16];
 NEURAL_HAM_LONG(-1.04)[-1.036]; MIME_GOOD(-0.10)[text/plain];
 DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[40.107.66.87:from];
 NEURAL_HAM_SHORT(-0.96)[-0.956];
 DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US];
 ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1];
 MAILMAN_DEST(0.00)[freebsd-current];
 RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.66.87:from]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 01:29:28 -0000

Russell L. Carter wrote:=0A=
>On 2020-09-18 16:28, Rick Macklem wrote:=0A=
> > Oh, and I forgot to mention name<->id# mapping.=0A=
> > If using AUTH_SYS (not kerberos), then you have the=0A=
> > choice of running "nfsuserd" or setting these two sysctls to 1.=0A=
> > vfs.nfs.enable_uidtostring=3D1=0A=
> > vfs.nfsd.enable_stringtouid=3D1=0A=
> > --> This makes the server just handle id#s (uid, gid) as numbers in=0A=
> >         a string. (This is the default for Linux these days although=0A=
it was=0A=
> > '       frowned upon in the early days.)=0A=
> >=0A=
> > Running nfsuserd maps uid, gid numbers to/from names using the=0A=
> > password and group databases. This must be used for Kerberos mounts.=0A=
> >=0A=
> > Without the above properly configured, you'll see lots of files owned=
=0A=
> > by "nobody" on the client mounts.=0A=
>=0A=
>Those sysctls are interesting.  I wasn't aware of them and so I run=0A=
>nfsuserd.  What do they do, practically speaking?  My understanding,=0A=
>likely wrong, is that nfsuserd should allow different uid/gid=0A=
>server->client mappings, possibly different for different clients.=0A=
Well, in theory, yes.=0A=
In practice, that never really happened.=0A=
When NFSv4 was being designed, putting uid/gid numbers in file attributes=
=0A=
was felt to be too POSIX centric, so in file attributes, they are defined=
=0A=
as a string of the form "user@domain" or "group@domain".=0A=
What never happened was a good definition of what "domain" was supposed=0A=
to be or how clients/servers would handle multiple domains.=0A=
--> So, only one "domain" normally works and it is usually the same=0A=
      as the domain part of the machine's hostname.=0A=
=0A=
Linux got tired of doing the number->string and string->number=0A=
mapping (awkward for NFS mounted root file systems, since the mapping=0A=
daemon is not running right away), so they switched to just doing=0A=
"uid" and "gid" (ie. the numbers in strings).=0A=
--> By setting the sysctls (both for the server), you run Linux compatible=
=0A=
       and don't need to run the nfsuserd (unless you use the -manage-gids=
=0A=
       option on it).=0A=
=0A=
These days Linux is the de-facto standard (unless you are using Windows).=
=0A=
=0A=
>However I still had to sync uid/gids across machines even though they=0A=
>are all running nfsuserd.  Didn't disable nfsuserd because... system=0A=
>is working... DFWI.=0A=
Well, user authentication is a different story...=0A=
- For Kerberos, the kerberos user principal is translated to POSIX=0A=
  credentials by the gssd daemon and you don't need a consistent=0A=
  uid, gid space, but do need to run nfsuserd, since the "uid" and "gid"=0A=
  strings don't work.=0A=
- Otherwise, you are using AUTH_SYS, which means the RPC authenticator=0A=
  has a uid and gid list in it and the credentials are derived from that.=
=0A=
  (If you run "nfsuserd -manage-gids", then the uid is used to acquire=0A=
   a list of gids on the server from its group database. Otherwise, the=0A=
   list of gids in the RPC authenticator is used.)=0A=
  --> You need a uniform uid space (and uniform gid space unless you=0A=
         are using "nfsuserd -manage-gids".=0A=
=0A=
Confusing, yes.=0A=
=0A=
rick=0A=
 =0A=
Anyway, naked FreeBSD-stable nfsv4 is rock solid in a clamped down=0A=
arena with a variety of FreeBSD and Debian clients.  Kudos.=0A=
=0A=
Thanks,=0A=
Russell=0A=
=0A=
 > rick=0A=
 >=0A=
 > ________________________________________=0A=
 > From: Rick Macklem <rmacklem@uoguelph.ca>=0A=
=0A=
=0A=
_______________________________________________=0A=
freebsd-current@freebsd.org mailing list=0A=
https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A=
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"=
=0A=
=0A=