[Freeipa-users] IPA+AD trust and NFS nobody issue

Parsons, Aron parsonsa at bit-sys.com
Wed Jul 16 01:29:32 UTC 2014 

I ran into this issue last fall and have been running with a patched libnfsidmap since November while our support case with Red Hat waits on a resolution (pretty much have given up hope at this point).  It's a trivial patch and removes the assumption that only one @ can be present in a username.

With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled.  We have experienced zero issues with this patch applied.  Without it, the AD trust setup is a no-go in any sort of real environment since NFSv4 is broken.

If you'd like to reference our support case, it's #00983906.  Patch is included below.

/aron


>From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001
From: Aron Parsons <parsonsa at bit-sys.com>
Date: Fri, 15 Nov 2013 14:43:10 -0500
Subject: [PATCH] account for usernames with @ in them

---
 libnfsidmap/nss.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c
index 04aff19..f9ad4be 100644
--- a/libnfsidmap/nss.c
+++ b/libnfsidmap/nss.c
@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain)
 	char *l = NULL;
 	int len;
 
-	c = strchr(name, '@');
+	c = strrchr(name, '@');
 	if (c == NULL && domain != NULL)
 	 goto out;
 	if (c == NULL && domain == NULL) {
-- 
1.7.1

-----
Hi,

First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7.  

The reason is that rpcidmapd` does not parse fully-qualified usernames so"adtest AD EXAMPLE ORG at IPA.EXAMPLE.ORG" does not work.
 The client-side code is stripping the domain off based on the location of the first "@" character in the value returned by the server.  This results in UID/GID mappings failing and resulting in ownership on the clients of "nobody".

Regards,
Johan

From: Dmitri Pal [dpal redhat com]
Sent: Thursday, June 05, 2014 21:03
To: Johan Petersson; Alexander Bokovoy
Cc: Sumit Bose; freeipa-users redhat com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/04/2014 09:57 AM, Johan Petersson wrote:
> Yes the message is exactly like that with commas, I double checked.
>
> To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  Local-Realms in idmap.conf might help?
>
> I did on all machines and got rid of that specific message but I still get user nobody unfortunately.
>
> Here are logs from when I did a su - adtest AD HOME at linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
>
> Client:
> Jun  4 15:30:13 client su: (to adtest ad home) linux on pts/0
> Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest ad home at linux.home timeout 600
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0

Do we have a corresponding SSSD trace that shows the actual process of
the resolution?


>
> NFS Server:
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "adtest ad home at linux.home"
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "ad_users linux home"
>
> The group ad_users is a IPA group with external maps from AD Domain users.
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy redhat com]
> Sent: Wednesday, June 04, 2014 3:14 PM
> To: Johan Petersson
> Cc: dpal redhat com; freeipa-users redhat com
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
> On Wed, 04 Jun 2014, Johan Petersson wrote:
>> Mail got posted before I was finished sorry.
>>
>> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping.
>>
>> >From /var/log/messages:
>>
>> Nfsidmap[1696]: nss_getpwnam: name 'adtest ad home at linux.home,' does not map into domain 'linux.home,'
> Are you sure the message is exactly like this, with a comma after linux.home?
>
> The reason I'm asking is because the code that prints the message looks like this:
>
>          localname = strip_domain(name, domain);
>          IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "
>                    "resulting localname '%s'\n", name, domain, localname));
>          if (localname == NULL) {
>                  IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "
>                          "into domain '%s'\n", name,
>                          domain ? domain : "<not-provided>"));
>                  goto err_free_buf;
>          }
>
> note that it doesn't have comma anywhere in the string printed.
>
> Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be
>
> [general]
>    Verbosity = 4
>
> in /etc/idmapd.conf
>
>
>
>>
>> From: freeipa-users-bounces redhat com
>> [mailto:freeipa-users-bounces redhat com] On Behalf Of Johan Petersson
>> Sent: Wednesday, June 04, 2014 12:02 PM
>> To: dpal redhat com; freeipa-users redhat com
>> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>>
>> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
>>
>>
>> server.ad.home = AD Server
>> share.linux.home = NFS Server
>> ipa.linux.home = IPA Server
>> client.linux.home = Client
>>
>> NFS with automounted krb5p Home Directories work for IPA users.
>>
>> sssd-1.11.2-65.el7.x86_64
>>
>> id adtest AD HOME<mailto:adtest AD HOME>
>> uid=497801107(adtest ad home<mailto:adtest ad home>)
>> gid=497801107(adtest ad home<mailto:adtest ad home>)
>> groups=497801107(adtest ad home),497800513(domain<mailto:adtest ad home
>> ),497800513(domain> users ad home<mailto:users ad home>)
>>
>> getent passwd adtest AD HOME<mailto:adtest AD HOME>
>> adtest ad home:*:497801107:497801107::/home/ad.home/adtest<mailto:adtest ad home:*:497801107:497801107::/home/ad.home/adtest>:
>>
>> klist after kinit adtest AD HOME<mailto:adtest AD HOME>
>>
>> [root client ~]# klist -e
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: adtest AD HOME<mailto:adtest AD HOME>
>>
>> Valid starting     Expires            Service principal
>> 06/04/14 11:28:35  06/04/14 21:28:35  krbtgt/AD HOME AD HOME<mailto:krbtgt/AD HOME AD HOME>
>>          renew until 06/05/14 11:28:30, Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>
>> klist after ssh
>> adtest AD HOME at ipa.linux.home<mailto:adtest AD HOME at ipa.linux.home>
>>
>> klist
>> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
>> Default principal: adtest AD HOME<mailto:adtest AD HOME>
>>
>> Valid starting     Expires            Service principal
>> 06/04/14 11:35:16  06/04/14 21:35:16 nfs/share linux home LINUX HOME<mailto:nfs/share linux home LINUX HOME>
>>          renew until 06/05/14 11:28:30
>> 06/04/14 11:35:16  06/04/14 21:35:16  krbtgt/LINUX HOME AD HOME<mailto:krbtgt/LINUX HOME AD HOME>
>>          renew until 06/05/14 11:28:30
>> 06/04/14 11:28:35  06/04/14 21:35:16  krbtgt/AD HOME AD HOME<mailto:krbtgt/AD HOME AD HOME>
>>          renew until 06/05/14 11:28:30
>>
>> Home Directory gets mounted by autofs through sssd but user:group is both nobody.
>>
>> The Client's sssd.conf:
>>
>> [domain/linux.home]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = linux.home
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = client.linux.home
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = _srv_, ipa.linux.home
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> autofs_provider = ipa
>> ipa_automount_location = default
>> subdomains_provider = ipa
>> [sssd]
>> services = nss, pam, autofs, ssh
>> config_file_version = 2
>>
>> domains = linux.home
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>> From:
>> freeipa-users-bounces redhat com<mailto:freeipa-users-bounces redhat co
>> m>
>> [mailto:freeipa-users-bounces redhat com]<mailto:[mailto:freeipa-users-
>> bounces redhat com]> On Behalf Of Dmitri Pal
>> Sent: Tuesday, June 03, 2014 6:48 PM
>> To: freeipa-users redhat com<mailto:freeipa-users redhat com>
>> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>>
>> On 06/03/2014 09:07 AM, Johan Petersson wrote:
>> Hi,
>>
>> Environment:
>>
>> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7
>> NFS Server RHEL 7 Client
>>
>> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA.
>> I have created a NFS share /home/adexample.org and use autofs map in IPA.
>> All wbinfo tests works as well as id.
>> I can login fine through SSH and Shell with
>> adtest adexample org<mailto:adtest adexample org>
>> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner.
>> Are those computers RHEL7 NFS clients with SSSD?
>> Can you describe them in more details please?
>>
>> Groups are no problem since AD groups can be mapped to Posix groups.
>>
>> Idmap.conf domain is set to the IPA Domain.
>>
>> Is there some way to get NFS working with the AD user as owner of his Home Directory?
>>
>> Thanks for any help.
>>
>>
>> This e-mail is private and confidential between the sender and the addressee.
>> In the event of misdirection, the recipient is prohibited from using,
>> copying or disseminating it or any information in it. Please notify the above if any misdirection.
>>
>>
>>
>> _______________________________________________
>>
>> Freeipa-users mailing list
>>
>> Freeipa-users redhat com<mailto:Freeipa-users redhat com>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>>
>> Thank you,
>>
>> Dmitri Pal
>>
>>
>>
>> Sr. Engineering Manager IdM portfolio
>>
>> Red Hat, Inc.
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users redhat com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> / Alexander Bokovoy


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list