395cf9691d
There are numerous broken references to Documentation files (in other Documentation files, in comments, etc.). These broken references are caused by typo's in the references, and by renames or removals of the Documentation files. Some broken references are simply odd. Fix these broken references, sometimes by dropping the irrelevant text they were part of. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
67 lines
2.9 KiB
Text
67 lines
2.9 KiB
Text
|
|
=========
|
|
ID Mapper
|
|
=========
|
|
Id mapper is used by NFS to translate user and group ids into names, and to
|
|
translate user and group names into ids. Part of this translation involves
|
|
performing an upcall to userspace to request the information. Id mapper will
|
|
user request-key to perform this upcall and cache the result. The program
|
|
/usr/sbin/nfs.idmap should be called by request-key, and will perform the
|
|
translation and initialize a key with the resulting information.
|
|
|
|
NFS_USE_NEW_IDMAPPER must be selected when configuring the kernel to use this
|
|
feature.
|
|
|
|
===========
|
|
Configuring
|
|
===========
|
|
The file /etc/request-key.conf will need to be modified so /sbin/request-key can
|
|
direct the upcall. The following line should be added:
|
|
|
|
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
|
|
#====== ======= =============== =============== ===============================
|
|
create id_resolver * * /usr/sbin/nfs.idmap %k %d 600
|
|
|
|
This will direct all id_resolver requests to the program /usr/sbin/nfs.idmap.
|
|
The last parameter, 600, defines how many seconds into the future the key will
|
|
expire. This parameter is optional for /usr/sbin/nfs.idmap. When the timeout
|
|
is not specified, nfs.idmap will default to 600 seconds.
|
|
|
|
id mapper uses for key descriptions:
|
|
uid: Find the UID for the given user
|
|
gid: Find the GID for the given group
|
|
user: Find the user name for the given UID
|
|
group: Find the group name for the given GID
|
|
|
|
You can handle any of these individually, rather than using the generic upcall
|
|
program. If you would like to use your own program for a uid lookup then you
|
|
would edit your request-key.conf so it look similar to this:
|
|
|
|
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
|
|
#====== ======= =============== =============== ===============================
|
|
create id_resolver uid:* * /some/other/program %k %d 600
|
|
create id_resolver * * /usr/sbin/nfs.idmap %k %d 600
|
|
|
|
Notice that the new line was added above the line for the generic program.
|
|
request-key will find the first matching line and corresponding program. In
|
|
this case, /some/other/program will handle all uid lookups and
|
|
/usr/sbin/nfs.idmap will handle gid, user, and group lookups.
|
|
|
|
See <file:Documentation/security/keys-request-key.txt> for more information
|
|
about the request-key function.
|
|
|
|
|
|
=========
|
|
nfs.idmap
|
|
=========
|
|
nfs.idmap is designed to be called by request-key, and should not be run "by
|
|
hand". This program takes two arguments, a serialized key and a key
|
|
description. The serialized key is first converted into a key_serial_t, and
|
|
then passed as an argument to keyctl_instantiate (both are part of keyutils.h).
|
|
|
|
The actual lookups are performed by functions found in nfsidmap.h. nfs.idmap
|
|
determines the correct function to call by looking at the first part of the
|
|
description string. For example, a uid lookup description will appear as
|
|
"uid:user@domain".
|
|
|
|
nfs.idmap will return 0 if the key was instantiated, and non-zero otherwise.
|