1216285 – autofs provider fails when default_domain_suffix and use_fully_qualified_names set

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set

Summary: autofs provider fails when default_domain_suffix and use_fully_qualified_name...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1217328
TreeView+	depends on / blocked

Reported:	2015-04-29 03:01 UTC by Aron Parsons
Modified:	2020-05-02 18:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.13.0-0.1.alpha.el7
Doc Type:	Bug Fix
Doc Text:	Cause: The default_domain_suffix option is meant as a short-hand to access objects from trusted domains without having to append the trusted domain name. However, some information, like autofs maps can only be stored on IPA server and not the trusted AD domain,so it doesn't make sense to append the trusted AD domain name there. Consequence: If default_domain_suffix was set, autofs maps were not accessible as they were searched on the trusted AD server Fix: default_domain_suffix is not considered anymore for autofs maps Result: If default_domain_suffix was set, autofs maps are accessible again
Clone Of:
Clones:	1217328 (view as bug list)
Environment:
Last Closed:	2015-11-19 11:38:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
autofs.patch (1.13 KB, application/mbox) 2015-04-29 03:01 UTC, Aron Parsons	no flags	Details
sssd-logs (15.87 KB, application/x-gzip) 2015-04-29 03:04 UTC, Aron Parsons	no flags	Details
automount steps (2.58 KB, text/plain) 2015-10-05 12:26 UTC, Sudhir Menon	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3684	0	None	None	None	2020-05-02 18:03:28 UTC
Red Hat Product Errata	RHSA-2015:2355	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2015-11-19 10:27:42 UTC

Description Aron Parsons 2015-04-29 03:01:50 UTC

Created attachment 1019948 [details]
autofs.patch

Description of problem:
when default_domain_suffix is enabled, you must enable use_fully_qualified names.  this breaks the autofs provider, which then returns 'Cannot allocate memory' for the maps.

Version-Release number of selected component (if applicable):
sssd-1.12.2-58.el7.6.x86_64

How reproducible:
always

Steps to Reproduce:
1. set default_domain_suffix and use_fully_qualified names
2. configure autofs maps in IPA
3. attempt to access maps

Actual results:
[root@client01 ~]# ipa automountlocation-tofiles default; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
/test	/etc/auto.test
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.test:
test	-fstype=nfs  test:/test

maps not connected to /etc/auto.master:
use_fully_qualified_names = true
default_domain_suffix = example.com
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service
setautomntent: lookup(sss): setautomntent: Cannot allocate memory
setautomntent: lookup(sss): setautomntent: Cannot allocate memory

autofs dump map information
===========================

global options: none configured
no master map entries found


Expected results:
[root@client01 ~]# ipa automountlocation-tofiles default; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
/test	/etc/auto.test
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.test:
test	-fstype=nfs  test:/test

maps not connected to /etc/auto.master:
use_fully_qualified_names = true
default_domain_suffix = example.com
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service

autofs dump map information
===========================

global options: none configured

Mount point: /-

source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory

  instance type(s): sss 
  map: auto.direct

  no keys found in map


Mount point: /test

source(s):

  instance type(s): sss 
  map: auto.test

  test | -fstype=nfs  test:/test


Additional info:
crude patch to fix is attached.  behavior is as expected in an AD/IPA trust environment with this bit of code removed, but may not be technically correct.

this combination of options is required after https://bugzilla.redhat.com/show_bug.cgi?id=1211830

Comment 1 Aron Parsons 2015-04-29 03:04:46 UTC

Created attachment 1019960 [details]
sssd-logs

Comment 3 Jakub Hrozek 2015-04-29 15:53:43 UTC

I think your patch is completely correct, the autofs maps can't be qualified, the root is always auto.master (ok, this is configurable) and then automounter traverses the maps. I can't think of a scenario where it would be possible for a user to specify a qualified map other than overriding the map name in the config.

Can you send the patch to sssd-devel, please? I'll ack it.

Comment 4 Jakub Hrozek 2015-04-29 15:54:42 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2643

Comment 5 Jakub Hrozek 2015-04-29 15:55:35 UTC

btw I was also able to reproduce the bug and verify it's fixed using your patch with an ordinary LDAP domain, just to make sure there was nothing specific to IPA I was missing.

Thanks a lot for the patch!

Comment 6 Jakub Hrozek 2015-04-30 15:55:38 UTC

Fixed upstream:
    sssd-1-12: 8f57c6765b10de36582ef1dbee32d75452451a94
    master: 4df706219e64527209f12ad0c7814ee1be979c07

Comment 9 Sudhir Menon 2015-10-05 12:26:30 UTC

Created attachment 1079921 [details]
automount steps

Comment 13 Sudhir Menon 2015-10-06 10:47:13 UTC

Jakub,

I did create many maps and associated keys on the IPA-server and am able to access them from the ipa-client using the below command.
I think we are good to mark this as VERIFIED. Can you please confirm.

[root@ipaclient02 etc]# ipa automountlocation-tofiles baltimore; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
---------------------------
/etc/auto.direct:

maps not connected to /etc/auto.master:
---------------------------
/etc/auto.data:
data	-ro,ipa01.labs01.test:/shared/data
---------------------------
/etc/auto.share:
man	-ro,soft,rsize=8192,wsize=8192 ipa01.labs01.test:/shared/man
---------------------------
/etc/auto.test:
test	-ro,soft,ipa01.labs01.test:/shared/test
default_domain_suffix = test.in
use_fully_qualified_names = true
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service

autofs dump map information
===========================
global options: none configured
Mount point: /misc
source(s):
  instance type(s): file 
  map: /etc/auto.misc
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom

Mount point: /net
source(s):
  type: hosts
  ipaclient02.labs01.test | (null)
  localhost | (null)

Mount point: /-
source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
  instance type(s): sss 
  map: auto.direct
  no keys found in map

Comment 14 Jakub Hrozek 2015-10-06 11:44:13 UTC

Hmm, I don't see /shared/data in automount -m output, looks like you need to link the auto.share map with auto.master ?

Comment 15 Sudhir Menon 2015-10-06 13:25:41 UTC

Jakub,
After manually adding the entries in /etc/auto.master in ipaclient, automount -m is showing the values.

/shared/data	/etc/auto.data
/shared/man	/etc/auto.share
/shared/test    /etc/auto.test

[root@ipaclient02 ~]# automount -m
autofs dump map information
===========================
global options: none configured
Mount point: /misc
source(s):
  instance type(s): file 
  map: /etc/auto.misc
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom
  instance type(s): files sss 
  map: auto.misc
  duplicate indirect map entry will be ignored at run time
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom
  cd | -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom

Mount point: /shared/data
source(s):
  instance type(s): file 
  map: /etc/auto.data
  data | -ro,ipaclient02.labs01.test/shared/data

Mount point: /shared/man
source(s):
  instance type(s): file 
  map: /etc/auto.share
  man | -ro,soft,rsize=8192,wsize=8192 ipaclient02.labs01.test:/shared/man

Mount point: /shared/test
source(s):
  instance type(s): file 
  map: /etc/auto.test
  test | -ro,soft,ipaclient02.labs01.test:/shared/test

Mount point: /net
source(s):
  type: hosts
  ipaclient02.labs01.test | (null)
  localhost | (null)

Mount point: /-
source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
  instance type(s): sss 
  map: auto.direct
  no keys found in map

Comment 16 Jakub Hrozek 2015-10-06 14:41:43 UTC

(In reply to Sudhir Menon from comment #15)
> Jakub,
> After manually adding the entries in /etc/auto.master in ipaclient,
> automount -m is showing the values.
> 

I guess this is so-so, but wouldn't it be better to link auto.master on the server with auto.share on the server?

See ipa help automounter, it gives example on how to configure similar setup.

Comment 17 Sudhir Menon 2015-10-09 09:44:36 UTC

Verified using RHEL7.2 

sssd-1.13.0-36.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64
ipa-server-dns-4.2.0-12.el7.x86_64
ipa-server-trust-ad-4.2.0-12.el7.x86_64

Observations: "setautomntent: lookup(sss): setautomntent: Cannot allocate memory" is not displayed.


Steps done:

1. On IPA-Server

#vi etc/exportfs 
/ipaexport *(rw)

2. service nfs restart

3. [root@ipa01 ~]# ipa automountlocation-add baltimore
------------------------------------
Added automount location "baltimore"
------------------------------------
Location: baltimore

4.[root@ipa01 ~]# ipa automountmap-add baltimore auto.share
--------------------------------
Added automount map "auto.share"
--------------------------------
Map: auto.share

5.[root@ipa01 ~]# ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
----------------------------
Added automount key "/share"
----------------------------
Key: /share
Mount information: auto.share

6.[root@ipa01 ~]# ipa automountkey-find baltimore auto.share
-----------------------
1 automount key matched
-----------------------
  Key: test
  Mount information: -rw,sync,ipa01.labs01.test:/ipaexport
----------------------------
Number of entries returned 1
----------------------------

7. [root@ipaclient02 ~]# ipa-client-automount --server=ipa01.labs01.test --location=baltimore
IPA server: ipa01.labs01.test
Location: baltimore
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

8. Ran the below command on IPAclient which was giving the error. Now its not giving the error.

[root@ipaclient02 ~]# ipa automountlocation-tofiles baltimore; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
/share	/etc/auto.share
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.share:
test	-rw,sync,ipa01.labs01.test:/ipaexport

maps not connected to /etc/auto.master:
default_domain_suffix = test.in
use_fully_qualified_names = true
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service
autofs dump map information
===========================
global options: none configured
Mount point: /misc
source(s):
instance type(s): file 
  map: /etc/auto.misc
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom

Mount point: /net
source(s):
  type: hosts
  ipaclient02.labs01.test | (null)
  localhost | (null)

Mount point: /-
source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
  instance type(s): sss 
  map: auto.direct
  no keys found in map

Mount point: /share
source(s):
  instance type(s): sss 
  map: auto.share
  test | -rw,sync,ipa01.labs01.test:/ipaexport

Comment 18 errata-xmlrpc 2015-11-19 11:38:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.