nfsidmap(5) [centos man page]
nfsidmap(5) File Formats Manual nfsidmap(5) NAME
nfsidmap - The NFS idmapper upcall program SYNOPSIS
nfsidmap [-v] [-t timeout] key desc nfsidmap [-v] [-c] nfsidmap [-v] [-u|-g|-r user] DESCRIPTION
The file /usr/sbin/nfsidmap is used by the NFS idmapper to translate user and group ids into names, and to translate user and group names into ids. Idmapper uses request-key to perform the upcall and cache the result. /usr/sbin/nfsidmap is called by /sbin/request-key, and will perform the translation and initialize a key with the resulting information. nfsidmap can also used to clear the keyring of all the keys or revoke one particular key. This is useful when the id mappings have failed to due to a lookup error resulting in all the cached uids/gids to be set to the user id nobody. OPTIONS
-c Clear the keyring of all the keys. -g user Revoke the gid key of the given user. -r user Revoke both the uid and gid key of the given user. -t timeout Set the expiration timer, in seconds, on the key. The default is 600 seconds (10 mins). -u user Revoke the uid key of the given user. -v Increases the verbosity of the output to syslog (can be specified multiple times). CONFIGURING
The file /etc/request-key.conf will need to be modified so /sbin/request-key can properly direct the upcall. The following line should be added before a call to keyctl negate: create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d This will direct all id_resolver requests to the program /usr/sbin/nfsidmap. The -t 600 defines how many seconds into the future the key will expire. This is an optional parameter for /usr/sbin/nfsidmap and will default to 600 seconds when not specified. The idmapper system uses four key descriptions: uid: Find the UID for the given user gid: Find the GID for the given group user: Find the user name for the given UID group: Find the group name for the given GID You can choose to handle any of these individually, rather than using the generic upcall program. If you would like to use your own pro- gram for a uid lookup then you would edit your request-key.conf so it looks similar to this: create id_resolver uid:* * /some/other/program %k %d create id_resolver * * /usr/sbin/nfsidmap %k %d Notice that the new line was added above the line for the generic program. request-key will find the first matching line and run the cor- responding program. In this case, /some/other/program will handle all uid lookups, and /usr/sbin/nfsidmap will handle gid, user, and group lookups. AUTHOR
Bryan Schumaker, <bjschuma@netapp.com> 1 October 2010 nfsidmap(5)
Check Out this Related Man Page
CIFS.UPCALL(8) System Administration tools CIFS.UPCALL(8) NAME
cifs.upcall - Userspace upcall helper for Common Internet File System (CIFS) SYNOPSIS
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} DESCRIPTION
This tool is part of the cifs-utils suite. cifs.upcall is a userspace helper program for the linux CIFS client filesystem. There are a number of activities that the kernel cannot easily do itself. This program is a callout program that does these things for the kernel and then returns the result. cifs.upcall is generally intended to be run when the kernel calls request-key(8) for a particular key type. While it can be run directly from the command-line, it's not generally intended to be run that way. OPTIONS
-c This option is deprecated and is currently ignored. --krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf This option allows administrators to set an alternate location for the krb5.conf file that cifs.upcall will use. --keytab=/path/to/keytab|-K /path/to/keytab This option allows administrators to specify a keytab file to be used. When a user has no credential cache already established, cifs.upcall will attempt to use this keytab to acquire them. The default is the system-wide keytab /etc/krb5.keytab. --trust-dns|-t With krb5 upcalls, the name used as the host portion of the service principal defaults to the hostname portion of the UNC. This option allows the upcall program to reverse resolve the network address of the server in order to get the hostname. This is less secure than not trusting DNS. When using this option, it's possible that an attacker could get control of DNS and trick the client into mounting a different server altogether. It's preferable to instead add server principals to the KDC for every possible hostname, but this option exists for cases where that isn't possible. The default is to not trust reverse hostname lookups in this fashion. --legacy-uid|-l Traditionally, the kernel has sent only a single uid= parameter to the upcall for the SPNEGO upcall that's used to determine what user's credential cache to use. This parameter is affected by the uid= mount option, which also governs the ownership of files on the mount. Newer kernels send a creduid= option as well, which contains what uid it thinks actually owns the credentials that it's looking for. At mount time, this is generally set to the real uid of the user doing the mount. For multisession mounts, it's set to the fsuid of the mount user. Set this option if you want cifs.upcall to use the older uid= parameter instead of the creduid= parameter. --version|-v Print version number and exit. CONFIGURATION FOR KEYCTL
cifs.upcall is designed to be called from the kernel via the request-key callout program. This requires that request-key be told where and how to call this program. The current cifs.upcall program handles two different key types: cifs.spnego This keytype is for retrieving kerberos session keys dns_resolver This key type is for resolving hostnames into IP addresses. Support for this key type may eventually be deprecated (see below). To make this program useful for CIFS, you'll need to set up entries for them in request-key.conf(5). Here's an example of an entry for each key type: #OPERATION TYPE D C PROGRAM ARG1 ARG2... #========= ============= = = ================================ create cifs.spnego * * /usr/sbin/cifs.upcall %k create dns_resolver * * /usr/sbin/cifs.upcall %k See request-key.conf(5) for more info on each field. The keyutils package has also started including a dns_resolver handling program as well that is preferred over the one in cifs.upcall. If you are using a keyutils version equal to or greater than 1.5, you should use key.dns_resolver to handle the dns_resolver keytype instead of cifs.upcall. See key.dns_resolver(8) for more info. SEE ALSO
request-key.conf(5), mount.cifs(8), key.dns_resolver(8) AUTHOR
Igor Mammedov wrote the cifs.upcall program. Jeff Layton authored this manpage. The maintainer of the Linux CIFS VFS is Steve French. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. cifs-utils 02/07/2010 CIFS.UPCALL(8)