Bug#675188: Change in rpc.idmapd makes clients unable to resolv users/groups

To: submit@bugs.debian.org
Subject: Bug#675188: Change in rpc.idmapd makes clients unable to resolv users/groups
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Wed, 30 May 2012 14:13:11 +0200
Message-id: <[🔎] 20120530121311.GU4407@lib.inittab.org>
Reply-to: Alberto Gonzalez Iniesta <agi@inittab.org>, 675188@bugs.debian.org

Package: nfs-kernel-server                                                                                       
Version: 1:1.2.5-4~bpo60
Severity: important

After upgrading an nfs server from 1.2.2 to 1.2.5 (from backports) all
the clients lost the ability to show the correct owner/group for files
and directories:
-rw-rw-r-- 1 nobody nogroup    0 2012-05-29 17:46 foo
drwxr-xr-x 2 nobody nogroup 4096 2012-05-29 17:39 bar

I tracked the problem to the way rpc.idmapd reports users and groups to
the clients. From rpc.idmapd -vvvvv in 1.2.2:
rpc.idmapd: nfsdcb: authbuf=gss/krb5p authtype=user
rpc.idmapd: nfs4_uid_to_name: calling umich_ldap->uid_to_name
rpc.idmapd: ldap_init_and_bind: version mismatch between API information and protocol version. Setting protocol version to 3
rpc.idmapd: nfs4_uid_to_name: umich_ldap->uid_to_name returned 0
rpc.idmapd: nfs4_uid_to_name: final return value is 0
rpc.idmapd:  Server: (user) id "2095" -> name "alberto.gonzalez"
rpc.idmapd: nfsdcb: authbuf=gss/krb5p authtype=group
rpc.idmapd: nfs4_gid_to_name: calling umich_ldap->gid_to_name
rpc.idmapd: ldap_init_and_bind: version mismatch between API information and protocol version. Setting protocol version to 3
rpc.idmapd: nfs4_gid_to_name: umich_ldap->gid_to_name returned 0
rpc.idmapd: nfs4_gid_to_name: final return value is 0
rpc.idmapd:  Server: (group) id "2095" -> name "alberto.gonzalez"

Whereas in 1.2.5:
rpc.idmapd: nfsdcb: authbuf=gss/krb5p authtype=user
rpc.idmapd: nfs4_uid_to_name: calling nsswitch->uid_to_name
rpc.idmapd: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
rpc.idmapd: nfs4_uid_to_name: final return value is 0
rpc.idmapd: Server : (user) id "2095" -> name "alberto.gonzalez@domain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5p authtype=user
rpc.idmapd: nfs4_uid_to_name: calling nsswitch->uid_to_name
rpc.idmapd: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
rpc.idmapd: nfs4_uid_to_name: final return value is 0
rpc.idmapd: Server : (user) id "1000" -> name "agi@domain"
rpc.idmapd: nfsdcb: authbuf=gss/krb5p authtype=group
rpc.idmapd: nfs4_gid_to_name: calling nsswitch->gid_to_name
rpc.idmapd: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
rpc.idmapd: nfs4_gid_to_name: final return value is 0
rpc.idmapd: Server : (group) id "1000" -> name "agi@domain"

I've tried commenting out "Domain = domain" and setting it to its real value,
(in the server's /etc/idmapd.conf) both test with the same result.

I'm not saying that "user@domain" is not the right value for this (it probably
is, don't know the RFC). But it's not the way it used to behave. 

It would be nice to have a way to have rpc.idmapd report users and
groups as it used to, in order to avoid modifying /etc/idmapd.conf in
hundreds of nfs clients as well as introducing an extra attribute (for
NFSv4_name_attr and NFSv4_group_attr) in LDAP (now just using "uid").

I expect this bug to hit nfs (v4) servers upgrading from Squeeze to
Wheezy.

Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Reply to:

Prev by Date: Bug#675176: svcgssd not working with '-n' option after lenny to squeeze upgrade
Next by Date: Bug#675190: BUG: unable to handle kernel paging request at 27c97000 during reboot under xen
Previous by thread: Bug#675176: svcgssd not working with '-n' option after lenny to squeeze upgrade
Next by thread: Bug#675190: BUG: unable to handle kernel paging request at 27c97000 during reboot under xen
Index(es):
- Date
- Thread