libnfsidmap2 fails to obtain username which results in failed translation

Bug #1728310 reported by Uli on 2017-10-28
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libnfsidmap (Debian)
New
Unknown
libnfsidmap (Ubuntu)
Medium
Unassigned

Bug Description

[Impact]

* In a multi-domain environment setup with LDAP or IPA, the username is not parsed correctly, resulting in id mapping issues.

* As a result, NFSv4 cannot be used in a multi-domain environment at all if the username is of the form user@authentication_domain@idmap_domain

* The attached patch fixes an almost 10 year old bug in the libnfsidmap library. The patch is included already in a similar form in current RHEL releases.

* Affects at least libnfsidmap2 0.25-5 on Ubuntu 16.04, 16.10, 17.04, 17.10.

[Test Case]

* IPA with 2 different user domains. For example: user1@domain1 and user2@domain2.

* NFSv4 server enrolled into IPA.

* NFS client enrolled into IPA. User and group names coming from IPA have an '@' in them.

[Regression Potential]

* The attached patch has been in production in a major organisation with more than 500 Ubuntu clients for more than a year now and has not shown any issues.

[Other Info]

Environment: IPA + NFSv4 (sec=krb5)

nss.c uses wrong '@' sign to detect the NFS domain resulting in "nobody" ownerships and the following error messages in an IPA environment:

Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@<email address hidden> timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@<email address hidden>' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@<email address hidden>' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22

Uli (ulrich-felzmann) on 2017-10-28
description: updated
description: updated
description: updated
Uli (ulrich-felzmann) on 2017-10-28
description: updated

The attachment "03-nss.c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in autofs (Debian):
status: Unknown → New
Uli (ulrich-felzmann) wrote :

This is a debdiff for Xenial applicable to libnfsidmap_0.25-5. I built this in pbuilder
and it builds successfully, and I installed it, the patch works as intended.

Uli (ulrich-felzmann) wrote :

This is an updated debdiff for Xenial applicable to libnfsidmap_0.25-5.
Tested successfully on 16.04.03.

Uli (ulrich-felzmann) on 2017-10-31
affects: autofs (Ubuntu) → libnfsidmap (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libnfsidmap (Ubuntu):
status: New → Confirmed
affects: autofs (Debian) → libnfsidmap (Debian)
Changed in libnfsidmap (Ubuntu):
importance: Undecided → Medium
Simon Quigley (tsimonq2) wrote :

I apologize for the very long delay in this getting attention. Please edit the bug report to follow the SRU guidelines: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

Please resubscribe ~ubuntu-sponsors once that's done.

Thank you.

Uli (ulrich-felzmann) wrote :

[Impact]

 * In a multi-domain environment setup with LDAP or IPA, the username is not parsed correctly, resulting in id mapping issues.

 * As a result, NFSv4 cannot be used in a multi-domain environment at all if the username is of the form user@authentication_domain@idmap_domain

 * The attached patch fixes an almost 10 year old bug in the libnfsidmap library. The patch is included already in a similar form in current RHEL releases.

[Test Case]

 * IPA with 2 different user domains. For example: user1@domain1 and user2@domain2.

 * NFSv4 server enrolled into IPA

 * NFS client enrolled into IPA. User and group names coming from IPA have an '@' in them.

[Regression Potential]

 * The attached patch has been in production in a major organisation with more than 500 Ubuntu clients for more than a year now and has not shown any issues.

description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.