Bug 1378557

Summary:

NFSv4 id mapping issues in multi-domain environments [rhel-7]

Product:

Red Hat Enterprise Linux 7

Reporter:

Scott Mayhew <smayhew>

Component:

libnfsidmap

Assignee:

Steve Dickson <steved>

Status:

CLOSED ERRATA

QA Contact:

Yongcheng Yang <yoyang>

Severity:

high

Docs Contact:

Priority:

high

Version:

7.3

CC:

andros, bstephen, Colin.Simpson, ctatman, dan, dkaylor, dwysocha, eguan, francois.prudhomme, frederik.ferner, fsorenso, giuseppe.ragusa, jiyin, jvilicic, phil.joyce, smayhew, vsinha, yoyang

Target Milestone:

Keywords:

Patch, Reproducer

Target Release:

---

Flags:

phil.joyce: needinfo+

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

libnfsidmap-0.25-17.el7

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Clones:

1410855 1411863 (view as bug list)

Environment:

Last Closed:

2017-08-01 17:52:49 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Bug Depends On:

Bug Blocks:

1298243, 1385242, 1410855, 1411863

Attachments:

Description	Flags
quick and dirty poc patch	none
updated patch	none
updated patch	none
final patch	none

Description Scott Mayhew 2016-09-22 18:21:47 UTC

Description of problem:

NFSv4 id mapping on Linux does not work well in multi-domain environments. RFCs 3530, 5661, and 7530 all describe the fattr4_owner and fattr4_owner_group strings in the form "user@dns_domain".

The Linux libnfsidmap nssswitch plugin currently treats that domain as an arbitrary string. As long as the domain part of the incoming string matches the Domain parameter of the idmapd.conf, the plugin strips off the domain and does a getpwnam() with what's left over.

When a Linux machine is joined to an environment involving multiple Active Directory domains, it is usually necessary for usernames to be qualified with the domain, either in a user principal format (e.g. "smayhew.com") or a down-level logon name format (e.g. "AD\smayhew").

When an environment with just Linux NFS clients and servers, the machines will all use this format the libnfsimap plugin will automatically format the username in one of these two forms, because libnfsidmap is just using the name that is returned from getpwuid()... so in the above example, if the NFSv4 domain in idmapd.conf is configured as "example.com", the full fattr4_owner might appear as "smayhew.com" if the machines are using SSSD, and "AD\smayhew" if they're using Winbind.

The problem is that Linux is in the minority here.

Ontap 8.3 maps a uid to a short username and then appends the NFSv4 id mapping domain to that. The nsswitch plugin is unable to map those, because once it strips off the domain it will be unable to resolve the short username. It's possible to configure the Linux clients that are using SSSD to be able to use the short usernames by turning off the subdomains_provider and explicitly adding stanzas for each trusted domain in the sssd.conf. This works as long as each username & uid is unique across all the trusted domains. For example if you have subdomains "na", "emea", and "apac", then it will not work (or rather it will be unpredictable) if each of those domains has an "smayhew" user... but otherwise it will work.

That solution will not work for other NFS servers though.

The NFS v4.1 server in Microsoft Windows does not appear to allow the NFSv4 domain to be configured at all. It just sends the names in UPN format, so it's essentially treating the AD domain as the NFSv4 domain. The Windows NFS v4.1 server is therefore capable of working with multiple domains. Since the current libnfsidmap nsswitch plugin only allows a single domain to be configured, it's only able to map users from that single domain.

EMC Isilon servers also appear to be capable of using multiple domains. It is unclear whether these domains are explicitly configured in the Isilon's id mapper or if it's using the AD domain as the NFSv4 domain. Either way, the current libnfsidmap plugin only allows a single domain to be configured, so it's only able to users from that domain.

Version-Release number of selected component (if applicable):
libnfsidmap (any version)

How reproducible:
Very reproducible, but it takes a lot of setup work.

Steps to Reproduce:
1. Set up at least two AD domains and configure them to trust each other.
2. Join a RHEL NFS client to one of the domains.
3. Join some non-RHEL NFS server to the other domain (to be honest most of the breakage occurs even when the client and server belong to the same domains).
4. Attempt to use NFSv4 with id mapping enabled.

Actual results:
fattr4_owner and fattr4_owner_group strings are mapped to nobody.

Expected results:
fattr4_owner and fattr4_owner_group strings should be mapped to valid users and groups.

Additional info:

RFCs 3530/5661/7530 don't really say how multiple domain setups should work.
RFC 5661 does say:

The "dns_domain" portion of the owner string is meant to be a DNS
domain name, for example, user. Servers should accept as
valid a set of users for at least one domain. A server may treat
other domains as having no valid translations. A more general
service is provided when a server is capable of accepting users for
multiple domains, or for all domains, subject to security
constraints.

This document does describe how multi-domain setups should work:
https://datatracker.ietf.org/doc/draft-ietf-nfsv4-multi-domain-fs-reqs/

I think there are some changes that we can make to libnfsidmap to at least make it work better with the majority of the NFSv4 servers out there (and not break existing Linux-only behavior in the process).

Comment 3 Scott Mayhew 2016-09-22 18:53:25 UTC

Created attachment 1203887 [details]
quick and dirty poc patch

Really quick, and really dirty proof-of-concept patch.  What it does is adds another parameter 'Domains' to the idmap.conf.   That parameter takes (unsurprisingly) a list of domains, in much the same way the Local-Realms parameter works.  The value specified in the Domain parameter does not have to be in the Domains list.  When the Domains list is populated, the plugin does a few things:
1. For name-to-id mapping, it compares the domain in the attribute to the list of domains.  If it's not in the list, it gets mapped to the uid for nobody.
2. If the domain in the attribute is in the list of domains, then that attibute is passed as-is to getpwnam() (or getgrnam() if its a group).  IOW the domain is NOT stripped off.
3. For id-to-name mapping, after the getpwuid() (or getgrgid()) call, the domain in the result is compared to the Domains list... if it's not in the list, the the id is mapped to the nobody string... even if the name was otherwise resolved successfully.
If the Domains list is empty, then the nsswitch plugin should behave as it did before (so the 'odd' format that some RHEL servers use like smayhew.com will still work).

It's only been lightly tested, but it did work against Ontap 8.3.2. and  Windows 2012r2 NFS servers.  There's probably a lot of sharp edges (in fact I'm not even sure what it'll do on a system that's configured to only use short usernames).

Comment 4 Scott Mayhew 2016-09-26 20:50:14 UTC

Created attachment 1204973 [details]
updated patch

Changed 'Domains' parameter to 'Domain-List'.  Added the same treatment to nss_name_to_gid() because I noticed group owners were still being mapped to nobody.

Comment 5 Scott Mayhew 2016-09-26 20:54:57 UTC

Example from a client using the above patch.  In my test setup, I have 3 domains:  smayhew.local,ad.smayhew.local, and lab.smayhew.local.  My idmapd.conf looks like this:

---8<---
[General]
Verbosity = 10
Domain = smayhew.local
Domain-List = smayhew.local,ad.smayhew.local,lab.smayhew.local

[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch
---8<---

Here's a test listing a directory from a Windows 2012 NFS server (from which RHEL also has problems mapping the names) that has files created by users from all 3 domains:

[smayhew.local@rhel6client ~]$ sudo mount -o v4.1,sec=krb5 win2012r2-3.lab.smayhew.local:/Export /mnt/t
[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 10
-rw-rw-r--. 1 amy.local       domain users.local 29 Sep 26 15:22 written-by-amy
-rw-r--r--. 1 barney        domain users     29 Sep 26 15:22 written-by-barney
-rw-rw-r--. 1 bart.local       domain users.local  29 Sep 26 15:22 written-by-bart
-rw-rw-r--. 1 bender.local    domain users.local 29 Sep 26 15:22 written-by-bender
-rw-r--r--. 1 betty         domain users     29 Sep 26 15:22 written-by-betty
-rw-r--r--. 1 fred          domain users     29 Sep 26 15:22 written-by-fred
-rw-rw-r--. 1 fry.local       domain users.local 29 Sep 26 15:23 written-by-fry
-rw-rw-r--. 1 hermes.local    domain users.local 29 Sep 26 15:22 written-by-hermes
-rw-rw-r--. 1 homer.local      domain users.local  29 Sep 26 15:22 written-by-homer
-rw-rw-r--. 1 jstephen.local   domain users.local  29 Sep 26 15:22 written-by-jstephen
-rw-rw-r--. 1 kif.local       domain users.local 29 Sep 26 15:23 written-by-kif
-rw-rw-r--. 1 leela.local     domain users.local 29 Sep 26 15:23 written-by-leela
-rw-rw-r--. 1 lisa.local       domain users.local  29 Sep 26 15:22 written-by-lisa
-rw-rw-r--. 1 maggie.local     domain users.local  29 Sep 26 15:22 written-by-maggie
-rw-rw-r--. 1 marge.local      domain users.local  29 Sep 26 15:22 written-by-marge
-rw-rw-r--. 1 professor.local domain users.local 29 Sep 26 15:23 written-by-professor
-rw-rw-r--. 1 smayhew.local    domain users.local  29 Sep 26 15:22 written-by-smayhew
-rw-r--r--. 1 wilma         domain users     29 Sep 26 15:22 written-by-wilma
-rw-rw-r--. 1 zapp.local      domain users.local 29 Sep 26 15:23 written-by-zapp
-rw-rw-r--. 1 zoidberg.local  domain users.local 29 Sep 26 15:23 written-by-zoidberg

Comment 6 Scott Mayhew 2016-09-26 21:21:18 UTC

Unfortunately the patch doesn't help as much if the NFS server is running Ontap, since ontap only sends a single domain.

For example, to start with I have the NFSv4 domain on the vserver set to 'lab.smayhew.local':

cluster1::*> vserver nfs show -vserver vs0 -fields v4-id-domain
vserver v4-id-domain      
------- ----------------- 
vs0     lab.smayhew.local 

So we're only able to map users in the 'lab.smayhew.local' domain:

[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 0
-rw-r--r--. 1 amy.local       unixgroup-lab.local 29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 bender.local    unixgroup-lab.local 29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 fry.local       unixgroup-lab.local 29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 hermes.local    unixgroup-lab.local 29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 kif.local       unixgroup-lab.local 29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 leela.local     unixgroup-lab.local 29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 professor.local unixgroup-lab.local 29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 zapp.local      unixgroup-lab.local 29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 zoidberg.local  unixgroup-lab.local 29 Sep 23 18:01 written-by-zoidberg

If I set the NFSv4 domain on the vserver to 'ad.smayhew.local':

cluster1::*> vserver nfs modify -vserver vs0 -v4-id-domain ad.smayhew.local

and clear the cached mappings on the client:

[root@rhel6client ~]# nfsidmap -c
nfsidmap: clearing '138b18d8 I--Q---     1 perm 3f3f0000     0     0 keyring   _child_1: empty'
nfsidmap: clearing '3fa99574 I------     1 perm 1f030000     0     0 keyring   .id_resolver: 1/4'

Then we're only able to map users in the 'ad.smayhew.local' domain:

[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 0
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 bart.local    unixgroup-ad.local 29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 homer.local   unixgroup-ad.local 29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 lisa.local    unixgroup-ad.local 29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 maggie.local  unixgroup-ad.local 29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 marge.local   unixgroup-ad.local 29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 smayhew.local unixgroup-ad.local 29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:01 written-by-zoidberg

Likewise, if I set the NFSv4 domain on the vserver to 'smayhew.local':

cluster1::*> vserver nfs modify -vserver vs0 -v4-id-domain smayhew.local

and clear the cached mappings again:

[root@rhel6client ~]# nfsidmap -c
nfsidmap: clearing '1fd3cb96 I--Q---     1 perm 3f3f0000     0     0 keyring   _child_1: 72/72'
nfsidmap: clearing '3fa99574 I------     1 perm 1f030000     0     0 keyring   .id_resolver: 1/4'

Then we're only able to map the users in the 'smayhew.local' domain:

[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 0
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 betty  unixgroup-smayhew 29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 fred   unixgroup-smayhew 29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 wilma  unixgroup-smayhew 29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-zoidberg
[smayhew.local@rhel6client ~]$

Comment 7 Scott Mayhew 2016-09-28 19:38:49 UTC

I set up a 4-node Isilon cluster and did some really basic testing and confirmed my test package helps:

[root@rhel6client ~]# mount -o v4,sec=krb5 isilon.lab.smayhew.local:/ifs /mnt/t
[root@rhel6client ~]# grep krb5 /proc/mounts
isilon.lab.smayhew.local:/ifs/ /mnt/t nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.10.179.110,minorversion=0,local_lock=none,addr=10.10.180.181 0 0
[root@rhel6client ~]# ls -l /mnt/t
total 132
-rw-rw-r--. 1 bender.local unixgroup-lab.local   29 Sep 28 09:40 bender.txt
drwxrwxrwx. 3 nobody                   nobody                            32 Sep 27 12:00 data
-rw-r--r--. 1 fred       unixgroup-smayhew   29 Sep 28 09:40 fred.txt
drwxrwxr-x. 4 nobody                   nobody                            44 Sep 27 11:55 home
-rw-rw-r--. 1 homer.local   unixgroup-ad.local     29 Sep 28 09:39 homer.txt
-rw-r--r--. 1 nobody                   nobody                          1029 Sep 27 11:55 README.txt
-rw-rw-r--. 1 smayhew.local unixgroup-ad.local     29 Sep 28 09:32 smayhew.txt


The nobody user happens to be root and the nobody group is wheel... I still need to figure out how/if we should handle local users too.

Also my code triggers a segfault when the isilon sends 'localhost' as the domain (which is its default)... so I have some bugs somewhere.

Comment 8 Scott Mayhew 2016-09-29 21:29:18 UTC

So... while I was researching what packages might have dependencies on libnfsidmap, I discovered that there's an idmap plugin provided by sssd that pretty much already does what I'm trying to do.  All I had to do was add "sss" to the Method line in my idmapd.conf.

[root@rhel7client ~]# egrep -v "^(#|$)" /etc/idmapd.conf
[General]
Domain = smayhew.local
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = sss,nsswitch

It seems to work well with both the Isilon and Windows servers.

[root@rhel7client ~]# mount -o v4,sec=krb5 isilon.lab.smayhew.local:/ifs /mnt/t
[root@rhel7client ~]# ls -l /mnt/t
total 514
-rw-rw-r--. 1 amy.local       unixgroup-lab.local   29 Sep 29 17:15 amy.txt
-rw-r--r--. 1 barney        unixgroup-smayhew   29 Sep 29 17:15 barney.txt
-rw-rw-r--. 1 bart.local       unixgroup-ad.local     29 Sep 29 17:16 bart.txt
-rw-rw-r--. 1 bender.local    unixgroup-lab.local   29 Sep 29 17:16 bender.txt
-rw-r--r--. 1 betty         unixgroup-smayhew   29 Sep 29 17:16 betty.txt
drwxrwxrwx. 3 root                        wheel                             32 Sep 27 12:00 data
-rw-r--r--. 1 fred          unixgroup-smayhew   29 Sep 29 17:16 fred.txt
-rw-rw-r--. 1 fry.local       unixgroup-lab.local   29 Sep 29 17:17 fry.txt
-rw-rw-r--. 1 hermes.local    unixgroup-lab.local   29 Sep 29 17:17 hermes.txt
drwxrwxr-x. 4 root                        wheel                             44 Sep 27 11:55 home
-rw-rw-r--. 1 homer.local      unixgroup-ad.local     29 Sep 29 17:17 homer.txt
-rw-rw-r--. 1 kif.local       unixgroup-lab.local   29 Sep 29 17:18 kif.txt
-rw-rw-r--. 1 leela.local     unixgroup-lab.local   29 Sep 29 17:18 leela.txt
-rw-rw-r--. 1 lisa.local       unixgroup-ad.local     29 Sep 29 17:18 lisa.txt
-rw-rw-r--. 1 maggie.local     unixgroup-ad.local     29 Sep 29 17:18 maggie.txt
-rw-rw-r--. 1 marge.local      unixgroup-ad.local     29 Sep 29 17:19 marge.txt
-rw-rw-r--. 1 professor.local unixgroup-lab.local   29 Sep 29 17:19 professor.txt
-rw-r--r--. 1 root                        wheel                           1029 Sep 27 11:55 README.txt
-rw-rw-r--. 1 smayhew.local    unixgroup-ad.local     29 Sep 29 17:19 smayhew.txt
-rw-r--r--. 1 wilma         unixgroup-smayhew   29 Sep 29 17:20 wilma.txt
-rw-rw-r--. 1 zapp.local      unixgroup-lab.local   29 Sep 29 17:20 zapp.txt
-rw-rw-r--. 1 zoidberg.local  unixgroup-lab.local   29 Sep 29 17:20 zoidberg.txt

[root@rhel7client ~]# umount /mnt/t
[root@rhel7client ~]# mount -o v4.1,sec=krb5 win2012r2-3.lab.smayhew.local:/Export /mnt/t
[root@rhel7client ~]# nfsidmap -c
[root@rhel7client ~]# ls -l /mnt/t
total 10
-rw-rw-r--. 1 amy.local       domain users.local 29 Sep 26 15:22 written-by-amy
-rw-r--r--. 1 barney        domain users     29 Sep 26 15:22 written-by-barney
-rw-rw-r--. 1 bart.local       domain users.local  29 Sep 26 15:22 written-by-bart
-rw-rw-r--. 1 bender.local    domain users.local 29 Sep 26 15:22 written-by-bender
-rw-r--r--. 1 betty         domain users     29 Sep 26 15:22 written-by-betty
-rw-r--r--. 1 fred          domain users     29 Sep 26 15:22 written-by-fred
-rw-rw-r--. 1 fry.local       domain users.local 29 Sep 26 15:23 written-by-fry
-rw-rw-r--. 1 hermes.local    domain users.local 29 Sep 26 15:22 written-by-hermes
-rw-rw-r--. 1 homer.local      domain users.local  29 Sep 26 15:22 written-by-homer
-rw-rw-r--. 1 jstephen.local   domain users.local  29 Sep 26 15:22 written-by-jstephen
-rw-rw-r--. 1 kif.local       domain users.local 29 Sep 26 15:23 written-by-kif
-rw-rw-r--. 1 leela.local     domain users.local 29 Sep 26 15:23 written-by-leela
-rw-rw-r--. 1 lisa.local       domain users.local  29 Sep 26 15:22 written-by-lisa
-rw-rw-r--. 1 maggie.local     domain users.local  29 Sep 26 15:22 written-by-maggie
-rw-rw-r--. 1 marge.local      domain users.local  29 Sep 26 15:22 written-by-marge
-rw-rw-r--. 1 professor.local domain users.local 29 Sep 26 15:23 written-by-professor
-rw-rw-r--. 1 smayhew.local    domain users.local  29 Sep 26 15:22 written-by-smayhew
-rw-r--r--. 1 wilma         domain users     29 Sep 26 15:22 written-by-wilma
-rw-rw-r--. 1 zapp.local      domain users.local 29 Sep 26 15:23 written-by-zapp
-rw-rw-r--. 1 zoidberg.local  domain users.local 29 Sep 26 15:23 written-by-zoidberg

Not so much w/ the Netapp...

[root@rhel7client ~]# umount /mnt/t
[root@rhel7client ~]# mount -o v4,sec=krb5 vs0.lab.smayhew.local:/vol2 /mnt/t
[root@rhel7client ~]# nfsidmap -c
[root@rhel7client ~]# ls -l /mnt/t
total 0
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 betty  unixgroup-smayhew 29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 fred   unixgroup-smayhew 29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 wilma  unixgroup-smayhew 29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-zoidberg

Comment 9 Scott Mayhew 2016-09-29 21:31:23 UTC

[root@rhel7client ~]# rpm -qf /usr/lib64/libnfsidmap/sss.so
sssd-common-1.13.0-40.el7_2.12.x86_64

[root@rhel7client ~]# rpm -qd sssd-common | grep idmap
/usr/share/man/man5/sss_rpcidmapd.5.gz

Comment 12 Scott Mayhew 2016-10-19 19:19:09 UTC

Created attachment 1212241 [details]
updated patch

Updated patch.  
1. Moved multi domain logic into its own plugin.  This allows us to fall back on the logic to strip the domain if the lookup w/ the fully-qualified name fails (I tried doing it all within the nsswitch plugin but it got too messy).
2. Added an option to work around a quirk the exists in winbind where if you do a group lookup using UPN format, the resulting group name looks a little 'weird', e.g.
-rw-rw-r--. 1 LAB\amy        LAB.SMAYHEW.LOCAL\unixgroup-lab   29 Sep 29 17:15 amy.txt

instead of
-rw-rw-r--. 1 LAB\amy        LAB\unixgroup-lab           29 Sep 29 17:15 amy.txt
3. Added a separate config section for the multi domain options.
4. Added documentation to both the sample idmapd.conf and the idmapd.conf(5) man page.

Comment 16 Scott Mayhew 2017-01-06 15:47:42 UTC

Created attachment 1238015 [details]
final patch

Attaching the version of the patch that was merged in the upstream libnfsidmap git repo.

Comment 18 Steve Dickson 2017-01-10 18:37:59 UTC

upstream commit 

commit 4db1bb1c462389848168a4b79723a6d2ae38f422
Author: Scott Mayhew <smayhew>
Date:   Wed Dec 21 14:43:24 2016 -0500

    libnfsidmap: add options to aid id mapping in multi domain environments

Comment 23 ChunYu Wang 2017-01-26 06:01:21 UTC

(In reply to Scott Mayhew from comment #22)
Thanks, Scott,

Currently, we can not reproduce this scene in our environment with both RHEL 6/7 and Windows 2012R2/2016 Server, but with your test results in comment 20 and Bug 1410855, we can ensure your patch will be effective in this scene, I will verify it with "Sanity Only" first and keep an eye on whether it reproduces during other idmap related tests.

Comment 24 ChunYu Wang 2017-01-26 06:56:24 UTC

Moved to ON_QA again, will provide more regression test results later.

Comment 30 Colin.Simpson 2017-04-26 15:04:30 UTC

We have this issue too. Again with Windows 2012 NFS servers seemingly not allowing you to set the NFSv4 domain name.

This option seems to "No-Strip=both" seems to workaround this on RHEL6.9 and F25. So it would be nice to see this on RHEL7.  I guess we are lucky that "user.NAME" can be resolved for us directly by NSS.

Any test package out there to try?

Comment 31 ChunYu Wang 2017-04-27 03:11:45 UTC

(In reply to Colin Simpson from comment #30)
Hi, Colin,

> We have this issue too. Again with Windows 2012 NFS servers seemingly not
> allowing you to set the NFSv4 domain name.

Did you choose a Windows node as an NFS Server or just include it as an AD DC?

> Any test package out there to try?

You can try to include the patch listed in the Attachment field of this Bug if you need to try this function, feel free to get down to me if I can offer more help.

Thanks,
ChunYu Wang

Comment 32 Colin.Simpson 2017-04-27 09:10:52 UTC

(In reply to ChunYu Wang from comment #31)
> (In reply to Colin Simpson from comment #30)
> Hi, Colin,
> 
> > We have this issue too. Again with Windows 2012 NFS servers seemingly not
> > allowing you to set the NFSv4 domain name.
> 
> Did you choose a Windows node as an NFS Server or just include it as an AD
> DC?

All our Linux systems are joined to AD for Authentication and Directory Services. 
The windows machine we use for NFS is a member server of the domain. We have however a multidomain environment.


> 
> > Any test package out there to try?
> 
> You can try to include the patch listed in the Attachment field of this Bug
> if you need to try this function, feel free to get down to me if I can offer
> more help.
> 
> Thanks,
> ChunYu Wang
The patch isn't really the issue for testing. As we can see this new flags working for us on RHEL 6.9 and Fedora 25 clients to this Windows 2012R2 NFS server. 

So we really just need a release on RHEL7 to allow us to deploy NFSv4 from Windows 2012 (currently using NFSv3).

Comment 35 Josip Vilicic 2017-06-16 16:54:37 UTC

Hi Yongcheng,

I believe it would just be a matter of enabling the RHEL 7 Beta RPMs repo:

   # subscription-manager repos --enable rhel-7-server-beta-rpms

The latest version (libnfsidmap-0.25-17.el7.x86_64.rpm) is available for direct download at the link below, but I'm not sure if you will need to resolve dependencies in your environment: 

   https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.4%20Beta/x86_64/packages

So enabling the Beta RPMs repo and downloading from there would be the better solution, but I'll include that rpm in case 01699716 in case just that one package works.

Take care,

Jo Vilicic
irc: jo -- jvilicic
TSE  --  IdM  --  919-754-4951

Comment 39 Yongcheng Yang 2017-07-10 01:29:05 UTC

(In reply to Steve Dickson from comment #18)

One more upstream commit is merged into Release 17:

commit ba7daebba65dc4b1adfac9c8c61f373d6c394673
Author: Scott Mayhew <smayhew>
Date:   Wed Feb 8 08:40:38 2017 -0500

    nss_gss_princ_to_ids() and nss_gss_princ_to_grouplist() must strip the realm

Comment 40 Yongcheng Yang 2017-07-10 01:30:48 UTC

Moving to VERIFIED again according to comment #23 as we are finishing 7.4 now.

Please open another bug for anything new. Thanks in advance.

Comment 41 Colin.Simpson 2017-07-10 09:27:12 UTC

I'm confused. Has this fix made it into RHEL7.4?

Comment 44 errata-xmlrpc 2017-08-01 17:52:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1857