Warning

This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.

SSS NFS Client (rpc.idmapd plugin)

The client is named “sss_nfs” (although “sss_idmap” or “idmap” might have been better names, the term “idmap” is already occupied in the SSSD world).

rpc.idmapd runs on NFSv4 servers as a userspace daemon (part of nfs-utils). Its role is to assist knfsd by providing the following 6 mapping functions:

  1. (user) name to UID

  2. (group) name to GID

  3. UID to (user) name

  4. GID to (group) name

  5. principal (user) name to ids (UID + GID)

  6. principal (user) name to grouplist (groups which user are member of)

rpc.idmapd provides API for developing plugins (loaded by dlopen(3)) which implements the actual mapping process.

On the kernel level, there’s a caching mechanism for the responses from the userspace daemon.

(1) Items 5 + 6 are only relevant for kerberized NFSv4 servers. At the first stage only there won’t be kerberos support.

The functionality required from the Responder side is a subset of the functionality provided by existing NSS Responder’s commands.

As you can see below (on the client part of the design) - no changes are needed in the NSS Responder.

Responder-Facing Interactions (existing NSS Responder commands)

  • SSS_NSS_GETPWNAM - map (user) name to UID requests

  • SSS_NSS_GETGRNAM - map (group) name to GID requests

  • SSS_NSS_GETPWUID - map UID to (user) name requests

  • SSS_NSS_GETGRGID - map GID to (group) name requests

The request & reply sent to & from the responder is “standard” in terms of the NSS Responder.

The client only needs a portion of the reply. Only this portion will be extracted from the packet (i.e. UID/GID/user name/group name).

The optimisation techniques used for the NSS client will be used here as well. i.e. Fast Cache (memcache) & negative-cache.

It will be possible for the user to disable Fast Cache from the configuration file. (see below)

The configuration of the client will be part of rpc.idmap config file (/etc/idmapd.conf).