Bug 1232468

Summary: The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed.
Product: Red Hat Enterprise Linux 6 Reporter: Matthew LeSieur <matthew.lesieur>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6CC: ggatward, ksiddiqu, mkosek, mvarun, pvoborni, rcritten, rvdwees
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-3.0.0-49.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1295865 (view as bug list) Environment:
Last Closed: 2016-05-11 00:07:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1295865    

Description Matthew LeSieur 2015-06-16 20:13:22 UTC 
Description of problem:
  When using "ipa-client-automount" to configure automount and NFS on an IPA client, the "Domain" option is added to the bottom of the /etc/idmapd.conf file.  Because this file is formatted into sections, the "Domain" option is placed in the [Translation] section, and not the [General] section of the configuration file.  ID mapping does not work correctly with the "Domain" option in the [Translation] section.  After manually moving the "Domain" option to the [General] section, ID mapping works correctly.

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-42.el6.x86_64
nfs-utils-lib-1.1.5-9.el6.x86_64

How reproducible:
  This is reproducible every time "ipa-client-automount" is executed and /etc/idmapd.conf is modified.

Steps to Reproduce:
1. Install a fresh Red Hat Enterprise Linux 6 host and apply all updates.
2. Install the "ipa-client" package.
3. Join host to IPA domain using "ipa-client-install".
4. Configure automount and NFS using "ipa-client-automount".

Actual results:
# ipa-client-automount --server rhidm.example.com --location default
IPA server: rhidm.example.com
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

# ls -l /net/nfs-server.example.com/nfsvol/
total 156
drwx------.  8 nobody nobody  4096 May 21  2013 user1
drwx--x--x. 16 nobody nobody  4096 Feb  9 08:56 user2
drwx------.  2 nobody nobody  4096 Apr  6 11:10 user3
drwx------.  2 nobody nobody  4096 Oct  5  2012 user4
drwx------.  2 nobody nobody  4096 Oct  5  2012 user5

# cat /etc/idmapd.conf | awk '$0 ~ /^#|^$/ { next } { print }'
[General]
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
Domain=rhidm.bor.ct.edu

Expected results:
# ipa-client-automount --server rhidm.example.com --location default
IPA server: rhidm.example.com
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

# ls -l /net/nfs-server.example.com/nfsvol/
total 156
drwx------.  8 user1 user1  4096 May 21  2013 user1
drwx--x--x. 16 user2 user2  4096 Feb  9 08:56 user2
drwx------.  2 user3 user3  4096 Apr  6 11:10 user3
drwx------.  2 user4 user4  4096 Oct  5  2012 user4
drwx------.  2 user5 user5  4096 Oct  5  2012 user5

# cat /etc/idmapd.conf | awk '$0 ~ /^#|^$/ { next } { print }'
[General]
Domain=rhidm.bor.ct.edu
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch

Additional info:
 Before fixing /etc/idmapd.conf, several "mapping" errors are logged into /var/log/messages: 

Jun 16 16:03:50 example nfsidmap[2624]: nss_getpwnam: name ‘user1.com' does not map into domain 'example.com'
Jun 16 16:03:50 example nfsidmap[2626]: nss_getpwnam: name ‘user2.com' does not map into domain 'example.com'
Jun 16 16:03:50 example nfsidmap[2628]: nss_getpwnam: name ‘user3.com' does not map into domain 'example.com'
Jun 16 16:03:50 example nfsidmap[2630]: nss_getpwnam: name ‘user4.com' does not map into domain 'example.com'
Comment 2 Petr Vobornik 2015-06-17 10:28:53 UTC 
Thanks for reporting this bug.

I'm able to reproduce it even with the development version of FreeIPA.

Note: Domain is configured correctly(replaced) if /etc/idmapd.conf already contains a domain configuration in general section.
Comment 3 Petr Vobornik 2015-06-17 10:30:13 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5069
Comment 4 Matthew LeSieur 2015-06-17 13:54:36 UTC 
Petr,
  Your observation about ipa-client-automount correctly replacing an existing Domain option in /etc/idmapd.conf leads to a good workaround.  Before executing ipa-client-automount, uncomment the Domain option.  I verified this works after a fresh installation of RHEL 6.  Uncommenting the Domain option first does not require restarting rpc.idmapd or clearing out the rpc.idmapd cache on the client or server (nfsidmap -vc) after fixing the Domain option.

# mv /etc/idmapd.conf /etc/idmapd.conf-orig
# awk '$0 ~ /^#Domain/ { gsub(/^#/, "") }{ print }' < /etc/idmapd.conf-orig > /etc/idmapd.conf
# ipa-client-automount --server rhidm.example.com --location default

Thanks
Matt LeSieur
Comment 5 Tomas Babej 2015-11-26 14:33:35 UTC 
Fixed upstream
master:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=304c8694c4f945846ced5bf3cdaf18d899241876
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=8403bd9d15a7817a15b85d8e108cad1c155aadbc
Comment 9 Varun Mylaraiah 2016-02-17 17:04:46 UTC 
Verified
ipa-client-3.0.0-50.el6.x86_64


[root@blade04 ~]# cat /etc/idmapd.conf | awk '$0 ~ /^#|^$/ { next } { print }'
[General]
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch


[root@blade04 ~]# ipa-client-automount --server blade01.testrelm.test --location default
IPA server: blade01.testrelm.test
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.


[root@blade04 ~]# cat /etc/idmapd.conf | awk '$0 ~ /^#|^$/ { next } { print }'
[General]
Domain = testrelm.test
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
Comment 11 errata-xmlrpc 2016-05-11 00:07:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0874.html