nfsidmap(5)                   File Formats Manual                  nfsidmap(5)

       nfsidmap - The NFS idmapper upcall program

       nfsidmap [-v] [-t timeout] key desc
       nfsidmap [-v] [-c]
       nfsidmap [-v] [-u|-g|-r user]
       nfsidmap -d
       nfsidmap -l
       nfsidmap -h

       The  NFSv4 protocol represents the local system's UID and GID values on
       the wire as strings of the form user@domain.  The process of  translat-
       ing  from  UID  to  string and string to UID is referred to as "ID map-

       The system derives the user part of the string by performing a password
       or   group   lookup.    The   lookup   mechanism   is   configured   in

       By default, the domain part of the string is the  system's  DNS  domain
       name.   It  can  also be specified in /etc/idmapd.conf if the system is
       multi-homed, or if the system's DNS domain name does not match the name
       of the system's Kerberos realm.

       The  /usr/sbin/nfsidmap  program performs translations on behalf of the
       kernel.  The kernel  uses  the  request-key  mechanism  to  perform  an
       upcall.   /usr/sbin/nfsidmap  is invoked by /sbin/request-key, performs
       the translation, and initializes a key with the resulting  information.
       The kernel then caches the translation results in the key.

       nfsidmap  can also clear cached ID map results in the kernel, or revoke
       one particular key.  An incorrect cached key can  result  in  file  and
       directory ownership reverting to "nobody" on NFSv4 mount points.

       In  addition, the -d and -l options are available to help diagnose mis-
       configurations.  They have no effect on the keyring containing ID  map-
       ping results.

       -c     Clear the keyring of all the keys.

       -d     Display the system's effective NFSv4 domain name on stdout.

       -g user
              Revoke the gid key of the given user.

       -h     Display usage message.

       -l     Display  on  stdout  all  keys  currently in the keyring used to
              cache ID mapping results.  These keys are visible  only  to  the

       -r user
              Revoke both the uid and gid key of the given user.

       -t timeout
              Set  the  expiration timer, in seconds, on the key.  The default
              is 600 seconds (10 mins).

       -u user
              Revoke the uid key of the given user.

       -v     Increases the verbosity of the output to syslog (can  be  speci-
              fied multiple times).

       The   file   /etc/request-key.conf   will   need   to  be  modified  so
       /sbin/request-key can properly direct the upcall.  The  following  line
       should be added before a call to keyctl negate:

       create    id_resolver    *    *    /usr/sbin/nfsidmap -t 600 %k %d

       This   will   direct   all   id_resolver   requests   to   the  program
       /usr/sbin/nfsidmap.  The -t 600  defines  how  many  seconds  into  the
       future  the  key  will  expire.   This  is  an  optional  parameter for
       /usr/sbin/nfsidmap and will default to 600 seconds when not specified.

       The idmapper system uses four key descriptions:

              uid: Find the UID for the given user
              gid: Find the GID for the given group
             user: Find the user name for the given UID
            group: Find the group name for the given GID

       You can choose to handle any of these individually, rather  than  using
       the  generic upcall program.  If you would like to use your own program
       for a uid lookup then you would edit your request-key.conf so it  looks
       similar to this:

       create    id_resolver    uid:*     *    /some/other/program %k %d
       create    id_resolver    *         *    /usr/sbin/nfsidmap %k %d

       Notice  that the new line was added above the line for the generic pro-
       gram.  request-key will find the first matching line and run the corre-
       sponding  program.   In  this case, /some/other/program will handle all
       uid lookups, and /usr/sbin/nfsidmap will handle gid,  user,  and  group

              ID mapping configuration file

              Request key configuration file

       idmapd.conf(5), request-key(8)

       Bryan Schumaker, <>

                                1 October 2010                     nfsidmap(5)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2021 Hurricane Electric. All Rights Reserved.