Bug#924051: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294

2019-03-12 Thread Michael Barkdoll 
I was able to find a solution to this issue that will require a
patch/update to the libnfsidmap version 0.26.

Please see reference to another user that experience the issue.

https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedorahosted.org/thread/SIA6J7IZRWX2FVGHKMS5F3HB7DE3MCFC/

I confirmed after custom compiling and using the newer lib's .so file that
the naming convention was normal.  One directory timed out when I did a
chown but after fixing the file permissions to a user inside AD it seems to
be working alright.

Can you please patch libnfsidmap to use version 0.26 to fix this bug?
Thanks!

Michael Barkdoll

Bug#924051: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294

2019-03-08 Thread Michael Barkdoll 
Package: nfs-common
Version: 1:1.3.4-2.1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
Debian box joined to AD with Realmd.  Mounted nfsv4 with kerberos auth.  
UID/GID match on client and server.  File permissions honored by displayed 
incorrected.
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
The following was observed in /var/log/syslog on the client:
nss_getpwnam: name 'us...@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting 
localname '(null)' 

uid and gid appear to not map properly from nfsidmap in a nfsv4 with sec=krb5. 
UID and GID are mapping properly on CentOS server and CentOS client. Ubuntu nfs 
client file permissions are honored, but display in `ls -lan` command are 
incorrect.

---
$ cat /var/log/syslog |grep nfsidmap
Mar 8 16:38:34 ubuntuclient nfsidmap[24736]: key: 0x24a1c64d type: uid value: 
us...@xx.xx.edu@XX.XX.EDU timeout 600
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling 
nsswitch->name_to_uid
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 
'us...@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)'
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 
'us...@xx.xx.edu@XX.XX.EDU' does not map into domain 'XX.XX.EDU'
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: nsswitch->name_to_uid 
returned -22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: final return value is 
-22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling 
nsswitch->name_to_uid

$
$ mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
$ su userX
$ ls -la /mnt
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 22:34 ..
drwxr-xr-x 2 nobody 4294967294 125 Mar 8 16:27 userX
$



Problem:
nfsmapid isn't showing proper file permissions on the ubuntu nfsv4 client with 
sec=krb



Client:
---
mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
---
$ ls -la
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 20:58 ..
drwxr-xr-x 2 nobody 4294967294 112 Mar 7 14:30 username
usern...@xx.xx.edu@ubuntuclient:/mnt

---
$ cat /etc/idmapd.conf

[General]

Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
Domain = XX.XXX.EDU

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

---
$ cat /etc/default/nfs-common
STATDOPTS=
NEED_GSSD="yes"
NEED_IDMAPD="yes"
# I've tried commenting out NEED_IDMAPD as well.
# I manually created the following file with ktutil to just have nfs lines.
RPCGSSDARGS="-k /etc/nfs.keytab"
# I've tried with and without the above line (this was shown from redhat 
documentaiton)
---

My nfs server is a Centos 7.

Both machines were joined to active directory with sssd. NFSv4 with krb 
security works on my centos server and client. The nfs server mount works on 
the ubuntu client and file permissions are honored. But, the ls -la command is 
showing the incorrect file permissions.



uid and gid's appear to be in sync from sssd. Note in /etc/sssd/sssd.conf 
ldap_id_mapping = False though I don't think that should matter since ids are 
the same on both client and server from the ldap attributes in AD.



Centos 7 servers /var/log/messages with idmapd.conf verbosity:

Mar 8 16:38:32 sp19srv rpc.idmapd[1224]: Server : (group) id "65534" -> name 
"nfsnob...@xx.xx.edu"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling 
nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: 
nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value 
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "3872" -> name 
"us...@xx.xx.edu@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling 
nsswitch->gid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: 
nsswitch->gid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value 
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "110" -> name 
"some group g...@xx.xx.edu@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling 
nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: 
nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value 
is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "0" -> name 
"r...@xx.xx.edu"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling