{ "mode": "man", "parameter": "nfsidmap", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/nfsidmap/5/json", "generated": "2026-06-15T13:13:01Z", "synopsis": "", "sections": { "NAME": { "content": "nfsidmap - The NFS idmapper upcall program\n", "subsections": [] }, "SYNOPSIS": { "content": "", "subsections": [ { "name": "nfsidmap [-v] [-t timeout] key desc", "content": "" }, { "name": "nfsidmap [-v] [-c]", "content": "" }, { "name": "nfsidmap [-v] [-u|-g|-r user]", "content": "" }, { "name": "nfsidmap -d", "content": "" }, { "name": "nfsidmap -l", "content": "" }, { "name": "nfsidmap -h", "content": "" } ] }, "DESCRIPTION": { "content": "The NFSv4 protocol represents the local system's UID and GID values on the wire as strings of\nthe form user@domain. The process of translating from UID to string and string to UID is re‐\nferred to as \"ID mapping.\"\n\nThe system derives the user part of the string by performing a password or group lookup. The\nlookup mechanism is configured in /etc/idmapd.conf.\n\nBy default, the domain part of the string is the system's DNS domain name. It can also be\nspecified in /etc/idmapd.conf if the system is multi-homed, or if the system's DNS domain\nname does not match the name of the system's Kerberos realm.\n\nWhen the domain is not specified in /etc/idmapd.conf the local DNS server will be queried for\nthe nfsv4idmapdomain text record. If the record exists that will be used as the domain. When\nthe record does not exist, the domain part of the DNS domain will used.\n\nThe /usr/sbin/nfsidmap program performs translations on behalf of the kernel. The kernel\nuses the request-key mechanism to perform an upcall. /usr/sbin/nfsidmap is invoked by\n/sbin/request-key, performs the translation, and initializes a key with the resulting infor‐\nmation. The kernel then caches the translation results in the key.\n\nnfsidmap can also clear cached ID map results in the kernel, or revoke one particular key.\nAn incorrect cached key can result in file and directory ownership reverting to \"nobody\" on\nNFSv4 mount points.\n\nIn addition, the -d and -l options are available to help diagnose misconfigurations. They\nhave no effect on the keyring containing ID mapping results.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-c", "content": "", "flag": "-c" }, { "name": "-d", "content": "", "flag": "-d" }, { "name": "-g user", "content": "Revoke the gid key of the given user.\n", "flag": "-g" }, { "name": "-h", "content": "", "flag": "-h" }, { "name": "-l", "content": "These keys are visible only to the superuser.\n", "flag": "-l" }, { "name": "-r user", "content": "Revoke both the uid and gid key of the given user.\n", "flag": "-r" }, { "name": "-t timeout", "content": "Set the expiration timer, in seconds, on the key. The default is 600 seconds (10\nmins).\n", "flag": "-t" }, { "name": "-u user", "content": "Revoke the uid key of the given user.\n", "flag": "-u" }, { "name": "-v", "content": "", "flag": "-v" } ] }, "CONFIGURING": { "content": "The file /etc/request-key.conf will need to be modified so /sbin/request-key can properly di‐\nrect the upcall. The following line should be added before a call to keyctl negate:\n\ncreate idresolver * * /usr/sbin/nfsidmap -t 600 %k %d\n\nThis will direct all idresolver requests to the program /usr/sbin/nfsidmap. The -t 600 de‐\nfines how many seconds into the future the key will expire. This is an optional parameter\nfor /usr/sbin/nfsidmap and will default to 600 seconds when not specified.\n\nThe idmapper system uses four key descriptions:\n\nuid: Find the UID for the given user\ngid: Find the GID for the given group\nuser: Find the user name for the given UID\ngroup: Find the group name for the given GID\n\nYou can choose to handle any of these individually, rather than using the generic upcall pro‐\ngram. If you would like to use your own program for a uid lookup then you would edit your\nrequest-key.conf so it looks similar to this:\n\ncreate idresolver uid:* * /some/other/program %k %d\ncreate idresolver * * /usr/sbin/nfsidmap %k %d\n\nNotice that the new line was added above the line for the generic program. request-key will\nfind the first matching line and run the corresponding program. In this case,\n/some/other/program will handle all uid lookups, and /usr/sbin/nfsidmap will handle gid,\nuser, and group lookups.\n", "subsections": [] }, "FILES": { "content": "/etc/idmapd.conf\nID mapping configuration file\n\n/etc/request-key.conf\nRequest key configuration file\n", "subsections": [] }, "SEE ALSO": { "content": "idmapd.conf(5), request-key(8)\n", "subsections": [] }, "AUTHOR": { "content": "Bryan Schumaker, \n\n\n\n1 October 2010 nfsidmap(5)", "subsections": [] } }, "summary": "nfsidmap - The NFS idmapper upcall program", "flags": [ { "flag": "-c", "long": null, "arg": null, "description": "" }, { "flag": "-d", "long": null, "arg": null, "description": "" }, { "flag": "-g", "long": null, "arg": null, "description": "Revoke the gid key of the given user." }, { "flag": "-h", "long": null, "arg": null, "description": "" }, { "flag": "-l", "long": null, "arg": null, "description": "These keys are visible only to the superuser." }, { "flag": "-r", "long": null, "arg": null, "description": "Revoke both the uid and gid key of the given user." }, { "flag": "-t", "long": null, "arg": null, "description": "Set the expiration timer, in seconds, on the key. The default is 600 seconds (10 mins)." }, { "flag": "-u", "long": null, "arg": null, "description": "Revoke the uid key of the given user." }, { "flag": "-v", "long": null, "arg": null, "description": "" } ], "examples": [], "see_also": [ { "name": "idmapd.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/idmapd.conf/5/json" }, { "name": "request-key", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/request-key/8/json" } ] }