Your message dated Mon, 14 Mar 2022 01:09:00 +0100 with message-id <dbd79370ff733f3d833d5076fa67ac260c9b8e33.camel@decadent.org.uk> and subject line Re: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294 has caused the Debian Bug report #924051, regarding nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 924051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924051 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294
- From: Michael Barkdoll <mabarkdoll@gmail.com>
- Date: Fri, 08 Mar 2019 15:40:02 -0600
- Message-id: <155208120210.2773.5188312512496941879.reportbug@deb19client.AD.SIU.EDU>
Package: nfs-common Version: 1:1.3.4-2.1 Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Debian box joined to AD with Realmd. Mounted nfsv4 with kerberos auth. UID/GID match on client and server. File permissions honored by displayed incorrected. * What exactly did you do (or not do) that was effective (or ineffective)? The following was observed in /var/log/syslog on the client: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)' uid and gid appear to not map properly from nfsidmap in a nfsv4 with sec=krb5. UID and GID are mapping properly on CentOS server and CentOS client. Ubuntu nfs client file permissions are honored, but display in `ls -lan` command are incorrect. --- $ cat /var/log/syslog |grep nfsidmap Mar 8 16:38:34 ubuntuclient nfsidmap[24736]: key: 0x24a1c64d type: uid value: userY@xx.xx.edu@XX.XX.EDU timeout 600 Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling nsswitch->name_to_uid Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)' Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' does not map into domain 'XX.XX.EDU' Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22 Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: final return value is -22 Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling nsswitch->name_to_uid $ $ mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt $ su userX $ ls -la /mnt total 4 drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 . drwxr-xr-x 24 root root 4096 Mar 7 22:34 .. drwxr-xr-x 2 nobody 4294967294 125 Mar 8 16:27 userX $ Problem: nfsmapid isn't showing proper file permissions on the ubuntu nfsv4 client with sec=krb Client: --- mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt --- $ ls -la total 4 drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 . drwxr-xr-x 24 root root 4096 Mar 7 20:58 .. drwxr-xr-x 2 nobody 4294967294 112 Mar 7 14:30 username username@xx.xx.edu@ubuntuclient:/mnt --- $ cat /etc/idmapd.conf [General] Verbosity = 9 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if it differs from FQDN minus hostname Domain = XX.XXX.EDU [Mapping] Nobody-User = nobody Nobody-Group = nogroup --- $ cat /etc/default/nfs-common STATDOPTS= NEED_GSSD="yes" NEED_IDMAPD="yes" # I've tried commenting out NEED_IDMAPD as well. # I manually created the following file with ktutil to just have nfs lines. RPCGSSDARGS="-k /etc/nfs.keytab" # I've tried with and without the above line (this was shown from redhat documentaiton) --- My nfs server is a Centos 7. Both machines were joined to active directory with sssd. NFSv4 with krb security works on my centos server and client. The nfs server mount works on the ubuntu client and file permissions are honored. But, the ls -la command is showing the incorrect file permissions. uid and gid's appear to be in sync from sssd. Note in /etc/sssd/sssd.conf ldap_id_mapping = False though I don't think that should matter since ids are the same on both client and server from the ldap attributes in AD. Centos 7 servers /var/log/messages with idmapd.conf verbosity: Mar 8 16:38:32 sp19srv rpc.idmapd[1224]: Server : (group) id "65534" -> name "nfsnobody@XX.XX.EDU" Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling nsswitch->uid_to_name Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value is 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "3872" -> name "userX@xx.xx.edu@XX.XX.EDU" Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling nsswitch->gid_to_name Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value is 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "110" -> name "some group gid@xx.xx.edu@XX.XX.EDU" Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling nsswitch->uid_to_name Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value is 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "0" -> name "root@XX.XX.EDU" Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling nsswitch->gid_to_name Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value is 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "0" -> name "root@XX.XX.EDU" Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling nsswitch->uid_to_name Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value is 0 Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "1630" -> name "userX@xx.xx.edu@XX.XX.EDU" Please let me know if you need any additional information, thanks, * What was the outcome of this action? nfsv4 file share is mounted by uid and gid are not displaying properly. * What outcome did you expect instead? Expected the id and gid of the user to be shown on ls -lan *** End of the template - remove these template lines *** -- Package-specific info: -- rpcinfo -- program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper -- /etc/default/nfs-common -- NEED_STATD= STATDOPTS= NEED_IDMAPD= NEED_GSSD="yes" RPCGSSDARGS="-k /etc/nfs.keytab" -- /etc/idmapd.conf -- [General] Verbosity = 9 Pipefs-Directory = /run/rpc_pipefs Domain = AD.SIU.EDU [Mapping] Nobody-User = nobody Nobody-Group = nogroup -- /etc/fstab -- -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nfs-common depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii keyutils 1.5.9-9 ii libc6 2.24-11+deb9u4 ii libcap2 1:2.25-1 ii libcomerr2 1.43.4-2 ii libdevmapper1.02.1 2:1.02.137-2 ii libevent-2.0-5 2.0.21-stable-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libk5crypto3 1.15-1+deb9u1 ii libkeyutils1 1.5.9-9 ii libkrb5-3 1.15-1+deb9u1 ii libmount1 2.29.2-1+deb9u1 ii libnfsidmap2 0.25-5.1 ii libtirpc1 0.2.5-1.2+deb9u1 ii libwrap0 7.6.q-26 ii lsb-base 9.20161125 ii rpcbind 0.2.3-0.6 ii ucf 3.0036 Versions of packages nfs-common recommends: ii python 2.7.13-2 Versions of packages nfs-common suggests: pn open-iscsi <none> pn watchdog <none> -- Configuration Files: /etc/default/nfs-common changed: NEED_STATD= STATDOPTS= NEED_IDMAPD= NEED_GSSD="yes" RPCGSSDARGS="-k /etc/nfs.keytab" -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 924051-done@bugs.debian.org
- Subject: Re: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Mon, 14 Mar 2022 01:09:00 +0100
- Message-id: <dbd79370ff733f3d833d5076fa67ac260c9b8e33.camel@decadent.org.uk>
- In-reply-to: <CAC7iewFRuzs5ZnJ0_QCpXKeHD56eJx-5eoaS6WA0nefxFbysVA@mail.gmail.com>
- References: <CAC7iewFRuzs5ZnJ0_QCpXKeHD56eJx-5eoaS6WA0nefxFbysVA@mail.gmail.com>
Version: 1:2.5.4-1~exp1 On Tue, 12 Mar 2019 15:39:51 -0500 Michael Barkdoll <mabarkdoll@gmail.com> wrote: > I was able to find a solution to this issue that will require a > patch/update to the libnfsidmap version 0.26. > > Please see reference to another user that experience the issue. > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SIA6J7IZRWX2FVGHKMS5F3HB7DE3MCFC/ > > I confirmed after custom compiling and using the newer lib's .so file that > the naming convention was normal. One directory timed out when I did a > chown but after fixing the file permissions to a user inside AD it seems to > be working alright. > > Can you please patch libnfsidmap to use version 0.26 to fix this bug? > Thanks! It's unclear to me that there ever was a version 0.26 of libnfsidmap (it doesn't appear on <http://www.citi.umich.edu/projects/nfsv4/linux/libnfsidmap/>). However, libnfsidmap was merged into nfs-utils some time after version 0.25, and hopefully the fix was included in that. So I'm marking this fixed in the first Debian version after that merge. Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---