# NFSV4 share on ZFS using sys authentication



## spring_64 (Feb 19, 2017)

Hi all,
I have a zfs-based server(FreeBSD 11) and I want use NFSv4 on it. I used access list on shared folder and set permission on them, but clients that have write permission can't write on the share.

my export file is:

```
/pool/share1 -sec=sys -network 0.0.0.0 -mask 0.0.0.0
V4: /pool
```
I added a user named test on both client and server(their UIDs are different).

The file permission is:

```
#getfacl /pool/share1
# file: /pool/share1
# owner: root
# group: wheel
       user:test:rwxp----------:-------:allow
```
/etc/rc.conf on server is:

```
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4"
rpcbind_enable="YES"
mountd_flags="-r"
mountd_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

nfsv4_server_enable="YES"
nfsuserd_enable="YES"
```

etc/rc.conf on client is:


```
nfsuserd_enable="YES"
nfscbd_enable="YES"
hostid_enable="NO"
```

The mount command on client is:

```
mount_nfs -o nfsv4,sec=sys x.x.x.x:/ mnt/
```

My problem is:
I have not write permission on share1.


----------



## RM. (Feb 20, 2017)

does "normal" ID Mapping (nfsuserd) between server and client work?

You can check it, if you change the owner of a file on the server to name x and afterwards check if the same name is listed as the owner of the file on the client filesystem. (both users must exist on both systems)


----------



## spring_64 (Feb 22, 2017)

RM. said:


> does "normal" ID Mapping (nfsuserd) between server and client work?


Thanks for your response,
When the uid of a user in client is as same as the uid of that user in server, it does't have any problem. But when uids are different the share become readable.


----------



## gkontos (Feb 22, 2017)

It is pretty much the expected behavior if you use sec=sys. For more information have a look here.


----------



## RM. (Feb 22, 2017)

spring_64 said:


> Thanks for your response,
> When the uid of a user in client is as same as the uid of that user in server, it does't have any problem. But when uids are different the share become readable.



NFSv4 doesn't transmit the uid. In NFSv4 the owner is transmitted as `<username>@<domainname>`. This requires the uid<->name mapping, which is done on server- and clientside (`nfsuserd` in FreeBSD, `rpc.idmapd` in Debian). The benefit is, that you don't need matching uid's/gid's between server and clients anymore.

*Serverside (nfsuserd)*: UID  on server ---> Owner/ Domain (= max@example.org)

*NFSv4 transport:*  the owner of file 'xyz' is "max@example.org"

*Clientside:* max@example.org --> UID on client


----------



## gkontos (Feb 22, 2017)

RM. said:


> NFSv4 doesn't transmit the uid. In NFSv4 the owner is transmitted as `<username>@<domainname>`. This requires the uid<->name mapping, which is done on server- and clientside (`nfsuserd` in FreeBSD, `rpc.idmapd` in Debian). The benefit is, that you don't need matching uid's/gid's between server and clients anymore.
> 
> *Serverside (nfsuserd)*: UID  on server ---> Owner/ Domain (= max@example.org)
> 
> ...



You still need some sort of authentication. Kerberos is the most used.


----------



## RM. (Feb 24, 2017)

gkontos said:


> You still need some sort of authentication. Kerberos is the most used.



not at all. if you use 
	
	



```
sec=sys
```
 you can map "max@example.org" to whatever you want and it work's. so you don't need a real authentication like KERBEROS.


----------



## gkontos (Feb 24, 2017)

RM. said:


> not at all. if you use
> 
> 
> 
> ...


That way you need to match the UID's on both the server and the client.


----------



## spring_64 (Feb 25, 2017)

Thanks all for their useful responses.



RM. said:


> you can map "max@example.org" to whatever you want



How should I map "max@example.org" to ...?
I know nfsuserd do this, but I can't found config file.



gkontos said:


> That way you need to match the UID's on both the server and the client.



Is this work without matching UID's on both the server and the client?


----------



## RM. (Mar 1, 2017)

gkontos said:


> That way you need to match the UID's on both the server and the client.



Why you should need matching uids between server and client?

In NFSv4 it's unrelevant, you only need the same username/groupname on client and server. The UIDs of the usernames/groupnames can be different on server and clients. That's the benefit of the 
	
	



```
<username>@<domainname>
```
 transmission. It is also unrelevant, if you use secure NFSv4 or not (sys, krb5, krb5i, krb5p).

If there aren't the same user-/groupnames on server and clients, the mapping of the user-/groupname will default to nobody/nogroup (which are the default settings).


----------



## RM. (Mar 1, 2017)

spring_64 said:


> How should I map "max@example.org" to ...?
> I know nfsuserd do this, but I can't found config file.
> 
> Is this work without matching UID's on both the server and the client?



the mapping is done on clientside, so you have to configure it there. If you have linux-clients please look at: 
https://linux.die.net/man/8/rpc.idmapd (_/etc/idmapd.conf__)_
http://man7.org/linux/man-pages/man5/nfsidmap.5.html (_/etc/idmapd.conf__)_

If you have FreeBSD clients it seems that you can't configure it, so the usernames/groupnames must exist on clientside:
https://www.freebsd.org/cgi/man.cgi...FreeBSD+11.0-RELEASE&arch=default&format=html


----------



## gkontos (Mar 2, 2017)

RM. said:


> Why you should need matching uids between server and client?
> 
> In NFSv4 it's unrelevant, you only need the same username/groupname on client and server. The UIDs of the usernames/groupnames can be different on server and clients. That's the benefit of the
> 
> ...



See here ->> https://forums.freebsd.org/threads/51122/


----------

