Bug 1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set
Summary: autofs provider fails when default_domain_suffix and use_fully_qualified_name...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.1
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1217328
TreeView+ depends on / blocked
 
Reported: 2015-04-29 03:01 UTC by Aron Parsons
Modified: 2020-05-02 18:03 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Cause: The default_domain_suffix option is meant as a short-hand to access objects from trusted domains without having to append the trusted domain name. However, some information, like autofs maps can only be stored on IPA server and not the trusted AD domain,so it doesn't make sense to append the trusted AD domain name there. Consequence: If default_domain_suffix was set, autofs maps were not accessible as they were searched on the trusted AD server Fix: default_domain_suffix is not considered anymore for autofs maps Result: If default_domain_suffix was set, autofs maps are accessible again
Clone Of:
: 1217328 (view as bug list)
Environment:
Last Closed: 2015-11-19 11:38:22 UTC
Target Upstream Version:


Attachments (Terms of Use)
autofs.patch (1.13 KB, application/mbox)
2015-04-29 03:01 UTC, Aron Parsons
no flags Details
sssd-logs (15.87 KB, application/x-gzip)
2015-04-29 03:04 UTC, Aron Parsons
no flags Details
automount steps (2.58 KB, text/plain)
2015-10-05 12:26 UTC, Sudhir Menon
no flags Details


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3684 None None None 2020-05-02 18:03:28 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Aron Parsons 2015-04-29 03:01:50 UTC
Created attachment 1019948 [details]
autofs.patch

Description of problem:
when default_domain_suffix is enabled, you must enable use_fully_qualified names.  this breaks the autofs provider, which then returns 'Cannot allocate memory' for the maps.

Version-Release number of selected component (if applicable):
sssd-1.12.2-58.el7.6.x86_64

How reproducible:
always

Steps to Reproduce:
1. set default_domain_suffix and use_fully_qualified names
2. configure autofs maps in IPA
3. attempt to access maps

Actual results:
[root@client01 ~]# ipa automountlocation-tofiles default; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
/test	/etc/auto.test
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.test:
test	-fstype=nfs  test:/test

maps not connected to /etc/auto.master:
use_fully_qualified_names = true
default_domain_suffix = example.com
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service
setautomntent: lookup(sss): setautomntent: Cannot allocate memory
setautomntent: lookup(sss): setautomntent: Cannot allocate memory

autofs dump map information
===========================

global options: none configured
no master map entries found


Expected results:
[root@client01 ~]# ipa automountlocation-tofiles default; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
/test	/etc/auto.test
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.test:
test	-fstype=nfs  test:/test

maps not connected to /etc/auto.master:
use_fully_qualified_names = true
default_domain_suffix = example.com
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service

autofs dump map information
===========================

global options: none configured

Mount point: /-

source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory

  instance type(s): sss 
  map: auto.direct

  no keys found in map


Mount point: /test

source(s):

  instance type(s): sss 
  map: auto.test

  test | -fstype=nfs  test:/test


Additional info:
crude patch to fix is attached.  behavior is as expected in an AD/IPA trust environment with this bit of code removed, but may not be technically correct.

this combination of options is required after https://bugzilla.redhat.com/show_bug.cgi?id=1211830

Comment 1 Aron Parsons 2015-04-29 03:04:46 UTC
Created attachment 1019960 [details]
sssd-logs

Comment 3 Jakub Hrozek 2015-04-29 15:53:43 UTC
I think your patch is completely correct, the autofs maps can't be qualified, the root is always auto.master (ok, this is configurable) and then automounter traverses the maps. I can't think of a scenario where it would be possible for a user to specify a qualified map other than overriding the map name in the config.

Can you send the patch to sssd-devel, please? I'll ack it.

Comment 4 Jakub Hrozek 2015-04-29 15:54:42 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2643

Comment 5 Jakub Hrozek 2015-04-29 15:55:35 UTC
btw I was also able to reproduce the bug and verify it's fixed using your patch with an ordinary LDAP domain, just to make sure there was nothing specific to IPA I was missing.

Thanks a lot for the patch!

Comment 6 Jakub Hrozek 2015-04-30 15:55:38 UTC
Fixed upstream:
    sssd-1-12: 8f57c6765b10de36582ef1dbee32d75452451a94
    master: 4df706219e64527209f12ad0c7814ee1be979c07

Comment 9 Sudhir Menon 2015-10-05 12:26:30 UTC
Created attachment 1079921 [details]
automount steps

Comment 13 Sudhir Menon 2015-10-06 10:47:13 UTC
Jakub,

I did create many maps and associated keys on the IPA-server and am able to access them from the ipa-client using the below command.
I think we are good to mark this as VERIFIED. Can you please confirm.

[root@ipaclient02 etc]# ipa automountlocation-tofiles baltimore; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
---------------------------
/etc/auto.direct:

maps not connected to /etc/auto.master:
---------------------------
/etc/auto.data:
data	-ro,ipa01.labs01.test:/shared/data
---------------------------
/etc/auto.share:
man	-ro,soft,rsize=8192,wsize=8192 ipa01.labs01.test:/shared/man
---------------------------
/etc/auto.test:
test	-ro,soft,ipa01.labs01.test:/shared/test
default_domain_suffix = test.in
use_fully_qualified_names = true
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service

autofs dump map information
===========================
global options: none configured
Mount point: /misc
source(s):
  instance type(s): file 
  map: /etc/auto.misc
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom

Mount point: /net
source(s):
  type: hosts
  ipaclient02.labs01.test | (null)
  localhost | (null)

Mount point: /-
source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
  instance type(s): sss 
  map: auto.direct
  no keys found in map

Comment 14 Jakub Hrozek 2015-10-06 11:44:13 UTC
Hmm, I don't see /shared/data in automount -m output, looks like you need to link the auto.share map with auto.master ?

Comment 15 Sudhir Menon 2015-10-06 13:25:41 UTC
Jakub,
After manually adding the entries in /etc/auto.master in ipaclient, automount -m is showing the values.

/shared/data	/etc/auto.data
/shared/man	/etc/auto.share
/shared/test    /etc/auto.test

[root@ipaclient02 ~]# automount -m
autofs dump map information
===========================
global options: none configured
Mount point: /misc
source(s):
  instance type(s): file 
  map: /etc/auto.misc
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom
  instance type(s): files sss 
  map: auto.misc
  duplicate indirect map entry will be ignored at run time
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom
  cd | -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom

Mount point: /shared/data
source(s):
  instance type(s): file 
  map: /etc/auto.data
  data | -ro,ipaclient02.labs01.test/shared/data

Mount point: /shared/man
source(s):
  instance type(s): file 
  map: /etc/auto.share
  man | -ro,soft,rsize=8192,wsize=8192 ipaclient02.labs01.test:/shared/man

Mount point: /shared/test
source(s):
  instance type(s): file 
  map: /etc/auto.test
  test | -ro,soft,ipaclient02.labs01.test:/shared/test

Mount point: /net
source(s):
  type: hosts
  ipaclient02.labs01.test | (null)
  localhost | (null)

Mount point: /-
source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
  instance type(s): sss 
  map: auto.direct
  no keys found in map

Comment 16 Jakub Hrozek 2015-10-06 14:41:43 UTC
(In reply to Sudhir Menon from comment #15)
> Jakub,
> After manually adding the entries in /etc/auto.master in ipaclient,
> automount -m is showing the values.
> 

I guess this is so-so, but wouldn't it be better to link auto.master on the server with auto.share on the server?

See ipa help automounter, it gives example on how to configure similar setup.

Comment 17 Sudhir Menon 2015-10-09 09:44:36 UTC
Verified using RHEL7.2 

sssd-1.13.0-36.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64
ipa-server-dns-4.2.0-12.el7.x86_64
ipa-server-trust-ad-4.2.0-12.el7.x86_64

Observations: "setautomntent: lookup(sss): setautomntent: Cannot allocate memory" is not displayed.


Steps done:

1. On IPA-Server

#vi etc/exportfs 
/ipaexport *(rw)

2. service nfs restart

3. [root@ipa01 ~]# ipa automountlocation-add baltimore
------------------------------------
Added automount location "baltimore"
------------------------------------
Location: baltimore

4.[root@ipa01 ~]# ipa automountmap-add baltimore auto.share
--------------------------------
Added automount map "auto.share"
--------------------------------
Map: auto.share

5.[root@ipa01 ~]# ipa automountkey-add baltimore auto.master --key=/share --info=auto.share
----------------------------
Added automount key "/share"
----------------------------
Key: /share
Mount information: auto.share

6.[root@ipa01 ~]# ipa automountkey-find baltimore auto.share
-----------------------
1 automount key matched
-----------------------
  Key: test
  Mount information: -rw,sync,ipa01.labs01.test:/ipaexport
----------------------------
Number of entries returned 1
----------------------------

7. [root@ipaclient02 ~]# ipa-client-automount --server=ipa01.labs01.test --location=baltimore
IPA server: ipa01.labs01.test
Location: baltimore
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

8. Ran the below command on IPAclient which was giving the error. Now its not giving the error.

[root@ipaclient02 ~]# ipa automountlocation-tofiles baltimore; grep -e fully -e default /etc/sssd/sssd.conf; service sssd restart; sss_cache -E; service autofs restart; automount -m
/etc/auto.master:
/-	/etc/auto.direct
/share	/etc/auto.share
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.share:
test	-rw,sync,ipa01.labs01.test:/ipaexport

maps not connected to /etc/auto.master:
default_domain_suffix = test.in
use_fully_qualified_names = true
Redirecting to /bin/systemctl restart  sssd.service
Redirecting to /bin/systemctl restart  autofs.service
autofs dump map information
===========================
global options: none configured
Mount point: /misc
source(s):
instance type(s): file 
  map: /etc/auto.misc
  cd | -fstype=iso9660,ro,nosuid,nodev	:/dev/cdrom

Mount point: /net
source(s):
  type: hosts
  ipaclient02.labs01.test | (null)
  localhost | (null)

Mount point: /-
source(s):
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
  instance type(s): sss 
  map: auto.direct
  no keys found in map

Mount point: /share
source(s):
  instance type(s): sss 
  map: auto.share
  test | -rw,sync,ipa01.labs01.test:/ipaexport

Comment 18 errata-xmlrpc 2015-11-19 11:38:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.