NFSv4 on IBM i - User profile / uid mapping

Resolving The Problem

NFSv4 has been available on the IBM i since R610. NFS on the IBM i is documented in the Knowledge Center: Files and file systems>Integrated file system>File systems>Network File System (NFS)

The URL to the R720 page showing a comparison of NFSv4 to earlier versions is: http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/ifs/rzaaxnfs3cmp.htm

One challenge to NFS at earlier releases was the need to ensure that uid/gid's matched between systems for individual user/group profiles. One of the benefits of NFSv4 is that this is addressed, but will need additional programs and setup in order to make it work.

The Knowledge Center link on Identify Mapping seems to imply that a Kerberised/EIM environment is not necessary in order to use this user/uid mapping feature, however that is not the case where AUTH_SYS (sometimes aka AUTH_UNIX) security is being used. It is hoped that the Knowledge Center will be updated at some point, but to use the NFSv4 feature of identity mapping, an EIM/Kerberos environment is required, and AUTH_GSS security must be specified.

This is because when AUTH_SYS security is used, RPC only sends the uid/gid (just like in previous releases of NFS). You could actually consider this to be more a limitation of RPC where AUTH_SYS is being used.

In summary, if you are using NFSv4 with AUTH_SYS, you will need to ensure that the uid/gid for a user match across systems if you want consistency with the user name across environments. See section 3 of Technote N1016376 for further information on this. If you want to use the user mapping feature, you will need a Kerberised environment AND be using AUTH_GSS security.