[Bug 1728310] Re: libnfsidmap2 fails to obtain username which results in failed translation

Mathew Hodson mathew.hodson at gmail.com
Sun Nov 25 01:00:38 UTC 2018 

** Description changed:

- Environment: IPA + NFSv4 (sec=krb5).
+ [Impact]
+ 
+ * In a multi-domain environment setup with LDAP or IPA, the username is
+ not parsed correctly, resulting in id mapping issues.
+ 
+ * As a result, NFSv4 cannot be used in a multi-domain environment at all
+ if the username is of the form user at authentication_domain@idmap_domain
+ 
+ * The attached patch fixes an almost 10 year old bug in the libnfsidmap
+ library. The patch is included already in a similar form in current RHEL
+ releases.
+ 
+ * Affects at least libnfsidmap2 0.25-5 on Ubuntu 16.04, 16.10, 17.04,
+ 17.10.
+ 
+ [Test Case]
+ 
+ * IPA with 2 different user domains. For example: user1 at domain1 and
+ user2 at domain2.
+ 
+ * NFSv4 server enrolled into IPA.
+ 
+ * NFS client enrolled into IPA. User and group names coming from IPA
+ have an '@' in them.
+ 
+ [Regression Potential]
+ 
+ * The attached patch has been in production in a major organisation with
+ more than 500 Ubuntu clients for more than a year now and has not shown
+ any issues.
+ 
+ [Other Info]
+ 
+ Environment: IPA + NFSv4 (sec=krb5)
  
  nss.c uses wrong '@' sign to detect the NFS domain resulting in "nobody"
  ownerships and the following error messages in an IPA environment:
  
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns at localdomain@ipa.localdomain timeout 600
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns at localdomain@ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns at localdomain@ipa.localdomain' does not map into domain 'ipa.localdomain'
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22
- 
- Affects at least libnfsidmap2=0.25-5 and 0.25-5.1 on 16.04, 16.10,
- 17.04, 17.10
- 
- Corresponding Debian bug report: https://bugs.debian.org/cgi-
- bin/bugreport.cgi?bug=744768
- 
- Tested patch attached.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libnfsidmap in Ubuntu.
https://bugs.launchpad.net/bugs/1728310

Title:
  libnfsidmap2 fails to obtain username which results in failed
  translation

Status in libnfsidmap package in Ubuntu:
  Confirmed
Status in libnfsidmap package in Debian:
  New

Bug description:
  [Impact]

  * In a multi-domain environment setup with LDAP or IPA, the username
  is not parsed correctly, resulting in id mapping issues.

  * As a result, NFSv4 cannot be used in a multi-domain environment at
  all if the username is of the form
  user at authentication_domain@idmap_domain

  * The attached patch fixes an almost 10 year old bug in the
  libnfsidmap library. The patch is included already in a similar form
  in current RHEL releases.

  * Affects at least libnfsidmap2 0.25-5 on Ubuntu 16.04, 16.10, 17.04,
  17.10.

  [Test Case]

  * IPA with 2 different user domains. For example: user1 at domain1 and
  user2 at domain2.

  * NFSv4 server enrolled into IPA.

  * NFS client enrolled into IPA. User and group names coming from IPA
  have an '@' in them.

  [Regression Potential]

  * The attached patch has been in production in a major organisation
  with more than 500 Ubuntu clients for more than a year now and has not
  shown any issues.

  [Other Info]

  Environment: IPA + NFSv4 (sec=krb5)

  nss.c uses wrong '@' sign to detect the NFS domain resulting in
  "nobody" ownerships and the following error messages in an IPA
  environment:

  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns at localdomain@ipa.localdomain timeout 600
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns at localdomain@ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns at localdomain@ipa.localdomain' does not map into domain 'ipa.localdomain'
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
  Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnfsidmap/+bug/1728310/+subscriptions

More information about the foundations-bugs mailing list