1 2========= 3ID Mapper 4========= 5Id mapper is used by NFS to translate user and group ids into names, and to 6translate user and group names into ids. Part of this translation involves 7performing an upcall to userspace to request the information. There are two 8ways NFS could obtain this information: placing a call to /sbin/request-key 9or by placing a call to the rpc.idmap daemon. 10 11NFS will attempt to call /sbin/request-key first. If this succeeds, the 12result will be cached using the generic request-key cache. This call should 13only fail if /etc/request-key.conf is not configured for the id_resolver key 14type, see the "Configuring" section below if you wish to use the request-key 15method. 16 17If the call to /sbin/request-key fails (if /etc/request-key.conf is not 18configured with the id_resolver key type), then the idmapper will ask the 19legacy rpc.idmap daemon for the id mapping. This result will be stored 20in a custom NFS idmap cache. 21 22 23=========== 24Configuring 25=========== 26The file /etc/request-key.conf will need to be modified so /sbin/request-key can 27direct the upcall. The following line should be added: 28 29#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... 30#====== ======= =============== =============== =============================== 31create id_resolver * * /usr/sbin/nfs.idmap %k %d 600 32 33This will direct all id_resolver requests to the program /usr/sbin/nfs.idmap. 34The last parameter, 600, defines how many seconds into the future the key will 35expire. This parameter is optional for /usr/sbin/nfs.idmap. When the timeout 36is not specified, nfs.idmap will default to 600 seconds. 37 38id mapper uses for key descriptions: 39 uid: Find the UID for the given user 40 gid: Find the GID for the given group 41 user: Find the user name for the given UID 42 group: Find the group name for the given GID 43 44You can handle any of these individually, rather than using the generic upcall 45program. If you would like to use your own program for a uid lookup then you 46would edit your request-key.conf so it look similar to this: 47 48#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... 49#====== ======= =============== =============== =============================== 50create id_resolver uid:* * /some/other/program %k %d 600 51create id_resolver * * /usr/sbin/nfs.idmap %k %d 600 52 53Notice that the new line was added above the line for the generic program. 54request-key will find the first matching line and corresponding program. In 55this case, /some/other/program will handle all uid lookups and 56/usr/sbin/nfs.idmap will handle gid, user, and group lookups. 57 58See <file:Documentation/security/keys/request-key.rst> for more information 59about the request-key function. 60 61 62========= 63nfs.idmap 64========= 65nfs.idmap is designed to be called by request-key, and should not be run "by 66hand". This program takes two arguments, a serialized key and a key 67description. The serialized key is first converted into a key_serial_t, and 68then passed as an argument to keyctl_instantiate (both are part of keyutils.h). 69 70The actual lookups are performed by functions found in nfsidmap.h. nfs.idmap 71determines the correct function to call by looking at the first part of the 72description string. For example, a uid lookup description will appear as 73"uid:user@domain". 74 75nfs.idmap will return 0 if the key was instantiated, and non-zero otherwise. 76