Package: nfs-common
Version: 1:1.3.4-2.1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Debian box joined to AD with Realmd. Mounted nfsv4 with kerberos auth.
UID/GID match on client and server. File permissions honored by displayed
incorrected.
* What exactly did you do (or not do) that was effective (or
ineffective)?
The following was observed in /var/log/syslog on the client:
nss_getpwnam: name '[email protected]@XX.XX.EDU' domain 'XX.XX.EDU': resulting
localname '(null)'
uid and gid appear to not map properly from nfsidmap in a nfsv4 with sec=krb5.
UID and GID are mapping properly on CentOS server and CentOS client. Ubuntu nfs
client file permissions are honored, but display in `ls -lan` command are
incorrect.
---
$ cat /var/log/syslog |grep nfsidmap
Mar 8 16:38:34 ubuntuclient nfsidmap[24736]: key: 0x24a1c64d type: uid value:
[email protected]@XX.XX.EDU timeout 600
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name
'[email protected]@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)'
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name
'[email protected]@XX.XX.EDU' does not map into domain 'XX.XX.EDU'
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: nsswitch->name_to_uid
returned -22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: final return value is
-22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
$
$ mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
$ su userX
$ ls -la /mnt
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 22:34 ..
drwxr-xr-x 2 nobody 4294967294 125 Mar 8 16:27 userX
$
Problem:
nfsmapid isn't showing proper file permissions on the ubuntu nfsv4 client with
sec=krb
Client:
---
mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
---
$ ls -la
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 20:58 ..
drwxr-xr-x 2 nobody 4294967294 112 Mar 7 14:30 username
[email protected]@ubuntuclient:/mnt
---
$ cat /etc/idmapd.conf
[General]
Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
Domain = XX.XXX.EDU
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
---
$ cat /etc/default/nfs-common
STATDOPTS=
NEED_GSSD="yes"
NEED_IDMAPD="yes"
# I've tried commenting out NEED_IDMAPD as well.
# I manually created the following file with ktutil to just have nfs lines.
RPCGSSDARGS="-k /etc/nfs.keytab"
# I've tried with and without the above line (this was shown from redhat
documentaiton)
---
My nfs server is a Centos 7.
Both machines were joined to active directory with sssd. NFSv4 with krb
security works on my centos server and client. The nfs server mount works on
the ubuntu client and file permissions are honored. But, the ls -la command is
showing the incorrect file permissions.
uid and gid's appear to be in sync from sssd. Note in /etc/sssd/sssd.conf
ldap_id_mapping = False though I don't think that should matter since ids are
the same on both client and server from the ldap attributes in AD.
Centos 7 servers /var/log/messages with idmapd.conf verbosity:
Mar 8 16:38:32 sp19srv rpc.idmapd[1224]: Server : (group) id "65534" -> name
"[email protected]"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling
nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name:
nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "3872" -> name
"[email protected]@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling
nsswitch->gid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name:
nsswitch->gid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "110" -> name
"some group [email protected]@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling
nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name:
nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "0" -> name
"[email protected]"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling
nsswitch->gid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name:
nsswitch->gid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "0" -> name
"[email protected]"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling
nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name:
nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "1630" -> name
"[email protected]@XX.XX.EDU"
Please let me know if you need any additional information, thanks,
* What was the outcome of this action?
nfsv4 file share is mounted by uid and gid are not displaying properly.
* What outcome did you expect instead?
Expected the id and gid of the user to be shown on ls -lan
*** End of the template - remove these template lines ***
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD="yes"
RPCGSSDARGS="-k /etc/nfs.keytab"
-- /etc/idmapd.conf --
[General]
Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
Domain = AD.SIU.EDU
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nfs-common depends on:
ii adduser 3.115
ii init-system-helpers 1.48
ii keyutils 1.5.9-9
ii libc6 2.24-11+deb9u4
ii libcap2 1:2.25-1
ii libcomerr2 1.43.4-2
ii libdevmapper1.02.1 2:1.02.137-2
ii libevent-2.0-5 2.0.21-stable-3
ii libgssapi-krb5-2 1.15-1+deb9u1
ii libk5crypto3 1.15-1+deb9u1
ii libkeyutils1 1.5.9-9
ii libkrb5-3 1.15-1+deb9u1
ii libmount1 2.29.2-1+deb9u1
ii libnfsidmap2 0.25-5.1
ii libtirpc1 0.2.5-1.2+deb9u1
ii libwrap0 7.6.q-26
ii lsb-base 9.20161125
ii rpcbind 0.2.3-0.6
ii ucf 3.0036
Versions of packages nfs-common recommends:
ii python 2.7.13-2
Versions of packages nfs-common suggests:
pn open-iscsi <none>
pn watchdog <none>
-- Configuration Files:
/etc/default/nfs-common changed:
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD="yes"
RPCGSSDARGS="-k /etc/nfs.keytab"
-- no debconf information
