Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Hi Jakub, Good to know about the patch. It's unfortunate I can get a faster and more detailed answer via the mailing list than GSS. Since I can't access the bugzilla, any idea if it's targeted at RHEL7 as well? /aron From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, July 16, 2014 2:19 AM To: Parsons, Aron Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 16 Jul 2014, at 03:29, Parsons, Aron parso...@bit-sys.com wrote: I ran into this issue last fall and have been running with a patched libnfsidmap since November while our support case with Red Hat waits on a resolution (pretty much have given up hope at this point). It's a trivial patch and removes the assumption that only one @ can be present in a username. With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled. We have experienced zero issues with this patch applied. Without it, the AD trust setup is a no-go in any sort of real environment since NFSv4 is broken. If you'd like to reference our support case, it's #00983906. Patch is included below. /aron Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6.. From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001 From: Aron Parsons parso...@bit-sys.com Date: Fri, 15 Nov 2013 14:43:10 -0500 Subject: [PATCH] account for usernames with @ in them --- libnfsidmap/nss.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c index 04aff19..f9ad4be 100644 --- a/libnfsidmap/nss.c +++ b/libnfsidmap/nss.c @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain) char *l = NULL; int len; - c = strchr(name, '@'); + c = strrchr(name, '@'); if (c == NULL domain != NULL) goto out; if (c == NULL domain == NULL) { -- 1.7.1 - Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. The reason is that rpcidmapd` does not parse fully-qualified usernames soadtest AD EXAMPLE o...@ipa.example.org does not work. The client-side code is stripping the domain off based on the location of the first @ character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of nobody. Regards, Johan From: Dmitri Pal [dpal redhat com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adtest AD h...@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest ad h...@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adtest ad h...@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
I ran into this issue last fall and have been running with a patched libnfsidmap since November while our support case with Red Hat waits on a resolution (pretty much have given up hope at this point). It's a trivial patch and removes the assumption that only one @ can be present in a username. With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled. We have experienced zero issues with this patch applied. Without it, the AD trust setup is a no-go in any sort of real environment since NFSv4 is broken. If you'd like to reference our support case, it's #00983906. Patch is included below. /aron From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001 From: Aron Parsons parso...@bit-sys.com Date: Fri, 15 Nov 2013 14:43:10 -0500 Subject: [PATCH] account for usernames with @ in them --- libnfsidmap/nss.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c index 04aff19..f9ad4be 100644 --- a/libnfsidmap/nss.c +++ b/libnfsidmap/nss.c @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain) char *l = NULL; int len; - c = strchr(name, '@'); + c = strrchr(name, '@'); if (c == NULL domain != NULL) goto out; if (c == NULL domain == NULL) { -- 1.7.1 - Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. The reason is that rpcidmapd` does not parse fully-qualified usernames soadtest AD EXAMPLE o...@ipa.example.org does not work. The client-side code is stripping the domain off based on the location of the first @ character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of nobody. Regards, Johan From: Dmitri Pal [dpal redhat com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adtest AD h...@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest ad h...@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adtest ad h...@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - name ad_users linux home The group ad_users is a IPA group with external maps from AD Domain users. -Original Message- From: Alexander Bokovoy [mailto:abokovoy redhat com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: dpal redhat com; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping.