Ubuntu
libnfsidmap package

libnfsidmap2 fails to obtain username which results in failed translation

Bug #1728310 reported by Uli on 2017-10-28

This bug report is a duplicate of: Bug #1819197: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)'. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	libnfsidmap (Debian)	New	Unknown	debbugs #744768
	libnfsidmap (Ubuntu)	Confirmed	Medium	Unassigned

Bug Description

[Impact]

* In a multi-domain environment setup with LDAP or IPA, the username is not parsed correctly, resulting in id mapping issues.

* As a result, NFSv4 cannot be used in a multi-domain environment at all if the username is of the form user@authentication_domain@idmap_domain

* The attached patch fixes an almost 10 year old bug in the libnfsidmap library. The patch is included already in a similar form in current RHEL releases.

* Affects at least libnfsidmap2 0.25-5 on Ubuntu 16.04, 16.10, 17.04, 17.10.

[Test Case]

* IPA with 2 different user domains. For example: user1@domain1 and user2@domain2.

* NFSv4 server enrolled into IPA.

* NFS client enrolled into IPA. User and group names coming from IPA have an '@' in them.

[Regression Potential]

* The attached patch has been in production in a major organisation with more than 500 Ubuntu clients for more than a year now and has not shown any issues.

[Other Info]

Environment: IPA + NFSv4 (sec=krb5)

nss.c uses wrong '@' sign to detect the NFS domain resulting in "nobody" ownerships and the following error messages in an IPA environment:

Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@<email address hidden> timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@<email address hidden>' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@<email address hidden>' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22

See original description

Tags:

Uli (ulrich-felzmann) on 2017-10-28

description:	updated
description:	updated
description:	updated

Uli (ulrich-felzmann) on 2017-10-28

description:

updated

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2017-10-29:

The attachment "03-nss.c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Bug Watch Updater (bug-watch-updater) on 2017-10-29

Changed in autofs (Debian):
status:	Unknown → New

Revision history for this message

Uli (ulrich-felzmann) wrote on 2017-10-30:

This is a debdiff for Xenial applicable to libnfsidmap_0.25-5. I built this in pbuilder
and it builds successfully, and I installed it, the patch works as intended.

Revision history for this message

Uli (ulrich-felzmann) wrote on 2017-10-31:

2-0.25-5ubuntu1.debdiff Edit (1.8 KiB, text/plain)

This is an updated debdiff for Xenial applicable to libnfsidmap_0.25-5.
Tested successfully on 16.04.03.

Uli (ulrich-felzmann) on 2017-10-31

affects:

autofs (Ubuntu) → libnfsidmap (Ubuntu)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-10-31:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libnfsidmap (Ubuntu):
status:	New → Confirmed

Mathew Hodson (mhodson) on 2018-03-05

affects:	autofs (Debian) → libnfsidmap (Debian)
Changed in libnfsidmap (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-08-17:

I apologize for the very long delay in this getting attention. Please edit the bug report to follow the SRU guidelines: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

Please resubscribe ~ubuntu-sponsors once that's done.

Thank you.

Revision history for this message

Uli (ulrich-felzmann) wrote on 2018-08-17:

[Impact]

* In a multi-domain environment setup with LDAP or IPA, the username is not parsed correctly, resulting in id mapping issues.

* As a result, NFSv4 cannot be used in a multi-domain environment at all if the username is of the form user@authentication_domain@idmap_domain

* The attached patch fixes an almost 10 year old bug in the libnfsidmap library. The patch is included already in a similar form in current RHEL releases.

[Test Case]

* IPA with 2 different user domains. For example: user1@domain1 and user2@domain2.

* NFSv4 server enrolled into IPA

* NFS client enrolled into IPA. User and group names coming from IPA have an '@' in them.

[Regression Potential]

* The attached patch has been in production in a major organisation with more than 500 Ubuntu clients for more than a year now and has not shown any issues.

Mathew Hodson (mhodson) on 2018-11-25

description:

updated

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-03-21:

I'm concentrating the discussion in bug #1819197