Bug#924051: marked as done (nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 14 Mar 2022 01:09:00 +0100
with message-id <dbd79370ff733f3d833d5076fa67ac260c9b8e33.camel@decadent.org.uk>
and subject line Re: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294
has caused the Debian Bug report #924051,
regarding nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924051
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294
• From: Michael Barkdoll <mabarkdoll@gmail.com>
• Date: Fri, 08 Mar 2019 15:40:02 -0600
• Message-id: <155208120210.2773.5188312512496941879.reportbug@deb19client.AD.SIU.EDU>

Package: nfs-common
Version: 1:1.3.4-2.1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
Debian box joined to AD with Realmd.  Mounted nfsv4 with kerberos auth.  UID/GID match on client and server.  File permissions honored by displayed incorrected.
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
The following was observed in /var/log/syslog on the client:
nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)' 

uid and gid appear to not map properly from nfsidmap in a nfsv4 with sec=krb5. UID and GID are mapping properly on CentOS server and CentOS client. Ubuntu nfs client file permissions are honored, but display in `ls -lan` command are incorrect.

---
$ cat /var/log/syslog |grep nfsidmap
Mar 8 16:38:34 ubuntuclient nfsidmap[24736]: key: 0x24a1c64d type: uid value: userY@xx.xx.edu@XX.XX.EDU timeout 600
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)'
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' does not map into domain 'XX.XX.EDU'
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: final return value is -22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling nsswitch->name_to_uid

$
$ mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
$ su userX
$ ls -la /mnt
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 22:34 ..
drwxr-xr-x 2 nobody 4294967294 125 Mar 8 16:27 userX
$



Problem:
nfsmapid isn't showing proper file permissions on the ubuntu nfsv4 client with sec=krb



Client:
---
mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
---
$ ls -la
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 20:58 ..
drwxr-xr-x 2 nobody 4294967294 112 Mar 7 14:30 username
username@xx.xx.edu@ubuntuclient:/mnt

---
$ cat /etc/idmapd.conf

[General]

Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
Domain = XX.XXX.EDU

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

---
$ cat /etc/default/nfs-common
STATDOPTS=
NEED_GSSD="yes"
NEED_IDMAPD="yes"
# I've tried commenting out NEED_IDMAPD as well.
# I manually created the following file with ktutil to just have nfs lines.
RPCGSSDARGS="-k /etc/nfs.keytab"
# I've tried with and without the above line (this was shown from redhat documentaiton)
---

My nfs server is a Centos 7.

Both machines were joined to active directory with sssd. NFSv4 with krb security works on my centos server and client. The nfs server mount works on the ubuntu client and file permissions are honored. But, the ls -la command is showing the incorrect file permissions.



uid and gid's appear to be in sync from sssd. Note in /etc/sssd/sssd.conf ldap_id_mapping = False though I don't think that should matter since ids are the same on both client and server from the ldap attributes in AD.



Centos 7 servers /var/log/messages with idmapd.conf verbosity:

Mar 8 16:38:32 sp19srv rpc.idmapd[1224]: Server : (group) id "65534" -> name "nfsnobody@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "3872" -> name "userX@xx.xx.edu@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling nsswitch->gid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "110" -> name "some group gid@xx.xx.edu@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "0" -> name "root@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=group
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: calling nsswitch->gid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_gid_to_name: final return value is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (group) id "0" -> name "root@XX.XX.EDU"
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfsdcb: authbuf=gss/krb5 authtype=user
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: nfs4_uid_to_name: final return value is 0
Mar 8 16:38:34 sp19srv rpc.idmapd[1224]: Server : (user) id "1630" -> name "userX@xx.xx.edu@XX.XX.EDU"


Please let me know if you need any additional information, thanks,
   * What was the outcome of this action?
nfsv4 file share is mounted by uid and gid are not displaying properly.
   * What outcome did you expect instead?
Expected the id and gid of the user to be shown on ls -lan

*** End of the template - remove these template lines ***


-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD="yes"
RPCGSSDARGS="-k /etc/nfs.keytab"
-- /etc/idmapd.conf --
[General]
Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
Domain = AD.SIU.EDU
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nfs-common depends on:
ii  adduser              3.115
ii  init-system-helpers  1.48
ii  keyutils             1.5.9-9
ii  libc6                2.24-11+deb9u4
ii  libcap2              1:2.25-1
ii  libcomerr2           1.43.4-2
ii  libdevmapper1.02.1   2:1.02.137-2
ii  libevent-2.0-5       2.0.21-stable-3
ii  libgssapi-krb5-2     1.15-1+deb9u1
ii  libk5crypto3         1.15-1+deb9u1
ii  libkeyutils1         1.5.9-9
ii  libkrb5-3            1.15-1+deb9u1
ii  libmount1            2.29.2-1+deb9u1
ii  libnfsidmap2         0.25-5.1
ii  libtirpc1            0.2.5-1.2+deb9u1
ii  libwrap0             7.6.q-26
ii  lsb-base             9.20161125
ii  rpcbind              0.2.3-0.6
ii  ucf                  3.0036

Versions of packages nfs-common recommends:
ii  python  2.7.13-2

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

-- Configuration Files:
/etc/default/nfs-common changed:
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD="yes"
RPCGSSDARGS="-k /etc/nfs.keytab"


-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 924051-done@bugs.debian.org
• Subject: Re: nfs-common: Krb5 NFSv4 Realmd AD nfsidmap files owned by nobody group 4294967294
• From: Ben Hutchings <ben@decadent.org.uk>
• Date: Mon, 14 Mar 2022 01:09:00 +0100
• Message-id: <dbd79370ff733f3d833d5076fa67ac260c9b8e33.camel@decadent.org.uk>
• In-reply-to: <CAC7iewFRuzs5ZnJ0_QCpXKeHD56eJx-5eoaS6WA0nefxFbysVA@mail.gmail.com>
• References: <CAC7iewFRuzs5ZnJ0_QCpXKeHD56eJx-5eoaS6WA0nefxFbysVA@mail.gmail.com>

Version: 1:2.5.4-1~exp1

On Tue, 12 Mar 2019 15:39:51 -0500 Michael Barkdoll
<mabarkdoll@gmail.com> wrote:
> I was able to find a solution to this issue that will require a
> patch/update to the libnfsidmap version 0.26.
> 
> Please see reference to another user that experience the issue.
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SIA6J7IZRWX2FVGHKMS5F3HB7DE3MCFC/
> 
> I confirmed after custom compiling and using the newer lib's .so file that
> the naming convention was normal.  One directory timed out when I did a
> chown but after fixing the file permissions to a user inside AD it seems to
> be working alright.
> 
> Can you please patch libnfsidmap to use version 0.26 to fix this bug?
> Thanks!

It's unclear to me that there ever was a version 0.26 of libnfsidmap
(it doesn't appear on
<http://www.citi.umich.edu/projects/nfsv4/linux/libnfsidmap/>). 
However, libnfsidmap was merged into nfs-utils some time after version
0.25, and hopefully the fix was included in that.  So I'm marking this
fixed in the first Debian version after that merge.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought. I realized that a large part of my life from then on was going
to be spent in finding mistakes in my own programs.
                                                 - Maurice Wilkes, 1949

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---