[Bug 966734] Re: nfs4+idmap does not map uids correctly when using AUTH_SYS

Thu Apr 10 10:25:18 UTC 2014

1) Confirmed: Ubuntu 11.04 has the problem, 10.04 does not. 
2) I'm running the involved clients "diskless", and apparently I forgot to upgrade the tftpboot kernel for the 11.04, so the clients are now both running the same kernel: 2.6.38-8-generic-pae. The problem does not depend on the kernel. 
3) I /HAVE/ matching uids on the server and client. 
The server was upgraded to 14.04 and since then the 11.04 client maps all normal-uid-owned-files on the NFS mount to "nobody". This results in sshd not allowing the authorized keys file, and not being able to use your own files. 

Now, "it sounds like this may have been fixed upstream" is encouraging.
But what do I need to upgrade to get the fix?

What do you guys do to get idmapd to log the translations it is doing?
-v option? Is there a neat way to enable it?

I've stopped the idmapd on the client. Same problem. 
I've straced the idmapd on the server, and it was not doing anything when the login on the server failed again. Are the idmapd requests cached? How do I flush them?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/966734

Title:
  nfs4+idmap does not map uids correctly when using AUTH_SYS

Status in “nfs-utils” package in Ubuntu:
  Triaged

Bug description:
  I've observed this bug on Ubuntu Precise (beta) and Oneiric, and also on Debian Squeeze and Debian Testing.
  (Kernel versions 2.6.32, 3.0.0 and 3.2.0)
  I've found numerous forum posts around the internet from confused users, but no solutions.

  The bug in question involves using nfs v4 with the idmapd, with users with the same username but differing uids across the client and server. The idmapping appears to have worked, until you try to write to the directories, at which point it skips the idmapping.
  This is a security issue as it will allow users to access files owned by other users unexpectedly.

  When listing files or directories on the client, the directories show
  up as owned by your local user, however attempting to write will
  result in a Permission Denied error. If you go back to the server and
  chown the directory to be owned by the uid used on the client, then
  the client will see the directory as owned by the incorrect user --
  but WILL be able to write to it!

  The log files for idmapd on both client and server appear to indicate
  that things are working correctly. eg:

  Server's syslog: rpc.idmapd[777]: Server : (user) id "2012" -> name "postie at localdomain"
  Client's syslog: rpc.idmapd[870]: Client 0: (user) name "postie at localdomain" -> id "2014"

  Running commands on the client:
  $ getent passwd postie
  postie:x:2014:2014::/home/postie:/bin/bash
  $ cd /srv/test
  $ ls -l
  drwxr-xr-x 2 postie root 4096 Mar 28 11:48 postie
  $ ls -ln
  drwxr-xr-x 2 2014 0 4096 Mar 28 11:48 postie
  $ touch postie/foo
  touch: cannot touch `postie/foo': Permission denied

  To prove that the mount *is* mounted read-write, I'll change the ownership of the directory on the server to uid 2014, rather than the postie user there (who has uid 2012).

  Now I run some commands on the client again:
  $ ls -l
  drwxr-xr-x 2 nobody root 4096 Mar 28 11:48 postie
  $ ls -ln
  drwxr-xr-x 2 65534 0 4096 Mar 28 11:48 postie
  $ touch postie/foo
  # It succeeds!

  Any thoughts on this, or if there's a better place to report this bug?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/966734/+subscriptions