How do I set the NSFv4 mapping Domain for multiple servers?

Question

I am using NFSv4 on Ubuntu 20.04 and 24.04 filesystems.

I cannot understand how to use idmapd.conf. I have read the man page, multiple Stack Exchange posts, and multiple blogs, and none of them explain the basic concepts well enough for me to apply them to my situation. I have probably a dozen or more questions, which I'll post individually.

In this scenario, I have three computers. The first is Exporter; it's the machine that will export the NFS filesystem. Its FQDN is exporter.example.com.

The other two are Recipient1 and Recipient2. Each of these will mount the exported filesystem. They have the same set of users, but different UIDs and GIDs assigned to them. Their FQDNs are recipient1.example.com and recipient2.example.com, respectively.

1. What do I use for the three values of the Domain variables?

The man page states that this is

The local NFSv4 domain name. An NFSv4 domain is a namespace with a unique username<->UID and groupname<->GID mapping. (Default: Host's fully-qualified DNS domain name)

Each computer has a unique UID/GID mapping to names, so this implies that the three machines' idmapd.conf files should have three separate values for this variable:

# Exporter
[General]
Domain = exporter.example.com

# Recipient1
[General]

Domain = recipient1.example.com

# Recipient2
[General]

Domain = recipient2.example.com

However, this answer to an NSFv4 mapping question says

Make sure both sides use the same idmap domain

and this answer to another similar question says

Make sure the /etc/idmapd.conf Domain parameter is the same on server and client

How do I make the Domain value be both the same on all computers and unique to each username/ID mapping, when all computers have different username/ID mappings?

Answer 1

Use the exact same domain on all systems.

When a client does ls -l, the server will translate the file owner UID to username@domain­name according to the server-side mapping, and the client – if its idmapd is on the same domain – will use its client-side mapping to translate username@domain­name back to an appropriate UID.

The part about "unique username<->UID and groupname<->GID mapping" is a distraction. Indeed if the mapping had to be exactly the same across the idmapd domain, then there would be no reason for idmapd to exist.

(I think I understand what it is trying to say – but I don't know a good way to rephrase it offhand. Maybe it's better to say that each NFSv4 domain is a namespace with unique users and groups only, such that "userX@domainA" and "userX@domainB" are distinct users which a multi-domain system would map to distinct UIDs. Basically the same concept as Active Directory domains, really.)

Keep in mind, however, that idmapd only translates the "NFS" layer, which handles things like chown parameters or ls -l results, but it cannot translate UIDs for the underlying "SunRPC" layer which handles user authentication.

So if you are planning on using sec=sys NFS security mode (which sends raw UIDs as "credentials"), then the UIDs will still have to match and idmapd will not help you at all. Only Kerberos security (sec=krb5/krb5i/krb5p, which uses tickets instead of UIDs) can really make use of idmapd.