[Bug 966734] Re: nfs4+idmap does not map uids correctly when using AUTH_SYS

Wed Apr 25 11:02:56 UTC 2012

as a workaround I created the attached script (which you will need to
update for correct UID and GID values, this can be used on the slave
server to "sync" the UID and GID across the servers.

I had to lookup the values of the GID and UID and find a spare value
that wasn't used.

*note* I used this in a two machine enviroment and it will need some
work to get the UID/GID's matched across more servers.

*disclaimer* The use of this script is at your own discression if you
don't under stand what it is doing then please don't use it...

** Attachment added: "updateperms"
   https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/966734/+attachment/3103336/+files/updateperms

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/966734

Title:
  nfs4+idmap does not map uids correctly when using AUTH_SYS

Status in “nfs-utils” package in Ubuntu:
  Triaged

Bug description:
  I've observed this bug on Ubuntu Precise (beta) and Oneiric, and also on Debian Squeeze and Debian Testing.
  (Kernel versions 2.6.32, 3.0.0 and 3.2.0)
  I've found numerous forum posts around the internet from confused users, but no solutions.

  The bug in question involves using nfs v4 with the idmapd, with users with the same username but differing uids across the client and server. The idmapping appears to have worked, until you try to write to the directories, at which point it skips the idmapping.
  This is a security issue as it will allow users to access files owned by other users unexpectedly.

  When listing files or directories on the client, the directories show
  up as owned by your local user, however attempting to write will
  result in a Permission Denied error. If you go back to the server and
  chown the directory to be owned by the uid used on the client, then
  the client will see the directory as owned by the incorrect user --
  but WILL be able to write to it!

  The log files for idmapd on both client and server appear to indicate
  that things are working correctly. eg:

  Server's syslog: rpc.idmapd[777]: Server : (user) id "2012" -> name "postie at localdomain"
  Client's syslog: rpc.idmapd[870]: Client 0: (user) name "postie at localdomain" -> id "2014"

  Running commands on the client:
  $ getent passwd postie
  postie:x:2014:2014::/home/postie:/bin/bash
  $ cd /srv/test
  $ ls -l
  drwxr-xr-x 2 postie root 4096 Mar 28 11:48 postie
  $ ls -ln
  drwxr-xr-x 2 2014 0 4096 Mar 28 11:48 postie
  $ touch postie/foo
  touch: cannot touch `postie/foo': Permission denied

  To prove that the mount *is* mounted read-write, I'll change the ownership of the directory on the server to uid 2014, rather than the postie user there (who has uid 2012).

  Now I run some commands on the client again:
  $ ls -l
  drwxr-xr-x 2 nobody root 4096 Mar 28 11:48 postie
  $ ls -ln
  drwxr-xr-x 2 65534 0 4096 Mar 28 11:48 postie
  $ touch postie/foo
  # It succeeds!

  Any thoughts on this, or if there's a better place to report this bug?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/966734/+subscriptions