Only start nfsuserd if GIDS > 16
The setting "NFSv3 ownership model for NFSv4" does not work in 9.10-STABLE. It has no effect.
Doing some research on this setting, history tells us that it works by stopping (or not starting) the nfsuserd service and setting the sysctl vfs.nfsd.enable_stringtouid to 1. See here for details:
It looks like the problem is caused by line 50 in /etc/rc.d/nfsd. This line is requiring nfsuserd is NFSv4 is used at all, which goes counter to this whole setting. I'm not sure when that changed, but I found this bug that maybe is related:
In any case, simply changing that if block to the following solves the issue:
50 if checkyesno nfs_server_managegids; then
51 force_depend nfsuserd || err 1 "Cannot run nfsuserd"
It could probably also be:
50 if checkyesno nfsv4_server_enable && \
51 checkyesno nfs_server_managegids; then
52 force_depend nfsuserd || err 1 "Cannot run nfsuserd"
but I haven't tested that.
#1 Updated by Ash Gokhale almost 4 years ago
- Status changed from Unscreened to Screened
- Priority changed from No priority to Important
This change looks correct; we have seen the need to forcefully stop nfsuserd. I'll make the change on a system here and make a recommendation on a patch for the start script.
#2 Updated by Scott W almost 4 years ago
Just to note, I tested the following with 9.10.2-U4 and it operates as expected; nfsuserd is not started since I have "NFSv3 ownership model..." enabled.
50 if checkyesno nfsv4_server_enable && \ 51 checkyesno nfs_server_managegids; then 52 force_depend nfsuserd || err 1 "Cannot run nfsuserd" 53 fi
#5 Updated by Ash Gokhale over 3 years ago
This patch actually seems much like the one that just went into freebsd head:
Modify /etc/rc.d/nfsd so it doesn't force a startup of nfsuserd for NFSv4.
Given that RFC7530 allows uid/gids to be placed in owner/owner_group
strings directly, many NFSv4 environments don't need the nfsuserd.
This small patch modified /etc/rc.d/nfsd so that it does not force
startup of the nfsuserd daemon unless nfs_server_managegids is enabled.
This implies that nfsuserd_enable="YES" must be added to /etc/rc.conf
for NFSv4 server environments that use Kerberos mounts or clients that
do not support the uid/gid in string capability.
Since this could be considered a POLA violation, it will not be MFC'd.
#9 Updated by Kris Moore over 3 years ago
#13 Updated by Joe Maloney over 3 years ago
- Status changed from 47 to Ready For Release
- Needs QA changed from Yes to No
- QA Status Test Passes added
- QA Status deleted (
I believe this is working. I can confirm the nfsuserd process does not get started until I join an AD which has a user that is a member of more than 16 groups.