1378557 – NFSv4 id mapping issues in multi-domain environments [rhel-7]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1378557 - NFSv4 id mapping issues in multi-domain environments [rhel-7]

Summary: NFSv4 id mapping issues in multi-domain environments [rhel-7]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libnfsidmap
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1298243 1385242 1410855 1411863
TreeView+	depends on / blocked

Reported:	2016-09-22 18:21 UTC by Scott Mayhew
Modified:	2021-06-10 11:33 UTC (History)
CC List:	18 users (show)
Fixed In Version:	libnfsidmap-0.25-17.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1410855 1411863 (view as bug list)
Environment:
Last Closed:	2017-08-01 17:52:49 UTC
Target Upstream Version:
Embargoed:
Flags:	phil.joyce: needinfo+

Attachments	(Terms of Use)
quick and dirty poc patch (6.99 KB, patch) 2016-09-22 18:53 UTC, Scott Mayhew	no flags	Details \| Diff
updated patch (8.22 KB, application/mbox) 2016-09-26 20:50 UTC, Scott Mayhew	no flags	Details
updated patch (14.62 KB, patch) 2016-10-19 19:19 UTC, Scott Mayhew	no flags	Details \| Diff
final patch (15.04 KB, patch) 2017-01-06 15:47 UTC, Scott Mayhew	no flags	Details \| Diff
Show Obsolete (3) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	980925	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Bugzilla	1420352	0	urgent	CLOSED	Cannot create file in it's directory using kerberos authentication with libnfsidmap-0.25-16.el7	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2017:1857	0	normal	SHIPPED_LIVE	libnfsidmap bug fix and enhancement update	2017-08-01 18:04:00 UTC

Internal Links: 980925 1420352

Description Scott Mayhew 2016-09-22 18:21:47 UTC

Description of problem:

NFSv4 id mapping on Linux does not work well in multi-domain environments. RFCs 3530, 5661, and 7530 all describe the fattr4_owner and fattr4_owner_group strings in the form "user@dns_domain".

The Linux libnfsidmap nssswitch plugin currently treats that domain as an arbitrary string. As long as the domain part of the incoming string matches the Domain parameter of the idmapd.conf, the plugin strips off the domain and does a getpwnam() with what's left over.

When a Linux machine is joined to an environment involving multiple Active Directory domains, it is usually necessary for usernames to be qualified with the domain, either in a user principal format (e.g. "smayhew.com") or a down-level logon name format (e.g. "AD\smayhew").

When an environment with just Linux NFS clients and servers, the machines will all use this format the libnfsimap plugin will automatically format the username in one of these two forms, because libnfsidmap is just using the name that is returned from getpwuid()... so in the above example, if the NFSv4 domain in idmapd.conf is configured as "example.com", the full fattr4_owner might appear as "smayhew.com" if the machines are using SSSD, and "AD\smayhew" if they're using Winbind.

The problem is that Linux is in the minority here.

Ontap 8.3 maps a uid to a short username and then appends the NFSv4 id mapping domain to that. The nsswitch plugin is unable to map those, because once it strips off the domain it will be unable to resolve the short username. It's possible to configure the Linux clients that are using SSSD to be able to use the short usernames by turning off the subdomains_provider and explicitly adding stanzas for each trusted domain in the sssd.conf. This works as long as each username & uid is unique across all the trusted domains. For example if you have subdomains "na", "emea", and "apac", then it will not work (or rather it will be unpredictable) if each of those domains has an "smayhew" user... but otherwise it will work.

That solution will not work for other NFS servers though.

The NFS v4.1 server in Microsoft Windows does not appear to allow the NFSv4 domain to be configured at all. It just sends the names in UPN format, so it's essentially treating the AD domain as the NFSv4 domain. The Windows NFS v4.1 server is therefore capable of working with multiple domains. Since the current libnfsidmap nsswitch plugin only allows a single domain to be configured, it's only able to map users from that single domain.

EMC Isilon servers also appear to be capable of using multiple domains. It is unclear whether these domains are explicitly configured in the Isilon's id mapper or if it's using the AD domain as the NFSv4 domain. Either way, the current libnfsidmap plugin only allows a single domain to be configured, so it's only able to users from that domain.

Version-Release number of selected component (if applicable):
libnfsidmap (any version)

How reproducible:
Very reproducible, but it takes a lot of setup work.

Steps to Reproduce:
1. Set up at least two AD domains and configure them to trust each other.
2. Join a RHEL NFS client to one of the domains.
3. Join some non-RHEL NFS server to the other domain (to be honest most of the breakage occurs even when the client and server belong to the same domains).
4. Attempt to use NFSv4 with id mapping enabled.

Actual results:
fattr4_owner and fattr4_owner_group strings are mapped to nobody.

Expected results:
fattr4_owner and fattr4_owner_group strings should be mapped to valid users and groups.

Additional info:

RFCs 3530/5661/7530 don't really say how multiple domain setups should work.
RFC 5661 does say:

The "dns_domain" portion of the owner string is meant to be a DNS
domain name, for example, user. Servers should accept as
valid a set of users for at least one domain. A server may treat
other domains as having no valid translations. A more general
service is provided when a server is capable of accepting users for
multiple domains, or for all domains, subject to security
constraints.

This document does describe how multi-domain setups should work:
https://datatracker.ietf.org/doc/draft-ietf-nfsv4-multi-domain-fs-reqs/

I think there are some changes that we can make to libnfsidmap to at least make it work better with the majority of the NFSv4 servers out there (and not break existing Linux-only behavior in the process).

Comment 3 Scott Mayhew 2016-09-22 18:53:25 UTC

Created attachment 1203887 [details]
quick and dirty poc patch

Really quick, and really dirty proof-of-concept patch.  What it does is adds another parameter 'Domains' to the idmap.conf.   That parameter takes (unsurprisingly) a list of domains, in much the same way the Local-Realms parameter works.  The value specified in the Domain parameter does not have to be in the Domains list.  When the Domains list is populated, the plugin does a few things:
1. For name-to-id mapping, it compares the domain in the attribute to the list of domains.  If it's not in the list, it gets mapped to the uid for nobody.
2. If the domain in the attribute is in the list of domains, then that attibute is passed as-is to getpwnam() (or getgrnam() if its a group).  IOW the domain is NOT stripped off.
3. For id-to-name mapping, after the getpwuid() (or getgrgid()) call, the domain in the result is compared to the Domains list... if it's not in the list, the the id is mapped to the nobody string... even if the name was otherwise resolved successfully.
If the Domains list is empty, then the nsswitch plugin should behave as it did before (so the 'odd' format that some RHEL servers use like smayhew.com will still work).

It's only been lightly tested, but it did work against Ontap 8.3.2. and  Windows 2012r2 NFS servers.  There's probably a lot of sharp edges (in fact I'm not even sure what it'll do on a system that's configured to only use short usernames).

Comment 4 Scott Mayhew 2016-09-26 20:50:14 UTC

Created attachment 1204973 [details]
updated patch

Changed 'Domains' parameter to 'Domain-List'.  Added the same treatment to nss_name_to_gid() because I noticed group owners were still being mapped to nobody.

Comment 5 Scott Mayhew 2016-09-26 20:54:57 UTC

Example from a client using the above patch.  In my test setup, I have 3 domains:  smayhew.local,ad.smayhew.local, and lab.smayhew.local.  My idmapd.conf looks like this:

---8<---
[General]
Verbosity = 10
Domain = smayhew.local
Domain-List = smayhew.local,ad.smayhew.local,lab.smayhew.local

[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch
---8<---

Here's a test listing a directory from a Windows 2012 NFS server (from which RHEL also has problems mapping the names) that has files created by users from all 3 domains:

[smayhew.local@rhel6client ~]$ sudo mount -o v4.1,sec=krb5 win2012r2-3.lab.smayhew.local:/Export /mnt/t
[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 10
-rw-rw-r--. 1 amy.local       domain users.local 29 Sep 26 15:22 written-by-amy
-rw-r--r--. 1 barney        domain users     29 Sep 26 15:22 written-by-barney
-rw-rw-r--. 1 bart.local       domain users.local  29 Sep 26 15:22 written-by-bart
-rw-rw-r--. 1 bender.local    domain users.local 29 Sep 26 15:22 written-by-bender
-rw-r--r--. 1 betty         domain users     29 Sep 26 15:22 written-by-betty
-rw-r--r--. 1 fred          domain users     29 Sep 26 15:22 written-by-fred
-rw-rw-r--. 1 fry.local       domain users.local 29 Sep 26 15:23 written-by-fry
-rw-rw-r--. 1 hermes.local    domain users.local 29 Sep 26 15:22 written-by-hermes
-rw-rw-r--. 1 homer.local      domain users.local  29 Sep 26 15:22 written-by-homer
-rw-rw-r--. 1 jstephen.local   domain users.local  29 Sep 26 15:22 written-by-jstephen
-rw-rw-r--. 1 kif.local       domain users.local 29 Sep 26 15:23 written-by-kif
-rw-rw-r--. 1 leela.local     domain users.local 29 Sep 26 15:23 written-by-leela
-rw-rw-r--. 1 lisa.local       domain users.local  29 Sep 26 15:22 written-by-lisa
-rw-rw-r--. 1 maggie.local     domain users.local  29 Sep 26 15:22 written-by-maggie
-rw-rw-r--. 1 marge.local      domain users.local  29 Sep 26 15:22 written-by-marge
-rw-rw-r--. 1 professor.local domain users.local 29 Sep 26 15:23 written-by-professor
-rw-rw-r--. 1 smayhew.local    domain users.local  29 Sep 26 15:22 written-by-smayhew
-rw-r--r--. 1 wilma         domain users     29 Sep 26 15:22 written-by-wilma
-rw-rw-r--. 1 zapp.local      domain users.local 29 Sep 26 15:23 written-by-zapp
-rw-rw-r--. 1 zoidberg.local  domain users.local 29 Sep 26 15:23 written-by-zoidberg

Comment 6 Scott Mayhew 2016-09-26 21:21:18 UTC

Unfortunately the patch doesn't help as much if the NFS server is running Ontap, since ontap only sends a single domain.

For example, to start with I have the NFSv4 domain on the vserver set to 'lab.smayhew.local':

cluster1::*> vserver nfs show -vserver vs0 -fields v4-id-domain
vserver v4-id-domain      
------- ----------------- 
vs0     lab.smayhew.local 

So we're only able to map users in the 'lab.smayhew.local' domain:

[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 0
-rw-r--r--. 1 amy.local       unixgroup-lab.local 29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 bender.local    unixgroup-lab.local 29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 fry.local       unixgroup-lab.local 29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 hermes.local    unixgroup-lab.local 29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 kif.local       unixgroup-lab.local 29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 leela.local     unixgroup-lab.local 29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 professor.local unixgroup-lab.local 29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 nobody                      nobody                          29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 zapp.local      unixgroup-lab.local 29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 zoidberg.local  unixgroup-lab.local 29 Sep 23 18:01 written-by-zoidberg

If I set the NFSv4 domain on the vserver to 'ad.smayhew.local':

cluster1::*> vserver nfs modify -vserver vs0 -v4-id-domain ad.smayhew.local

and clear the cached mappings on the client:

[root@rhel6client ~]# nfsidmap -c
nfsidmap: clearing '138b18d8 I--Q---     1 perm 3f3f0000     0     0 keyring   _child_1: empty'
nfsidmap: clearing '3fa99574 I------     1 perm 1f030000     0     0 keyring   .id_resolver: 1/4'

Then we're only able to map users in the 'ad.smayhew.local' domain:

[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 0
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 bart.local    unixgroup-ad.local 29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 homer.local   unixgroup-ad.local 29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 lisa.local    unixgroup-ad.local 29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 maggie.local  unixgroup-ad.local 29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 marge.local   unixgroup-ad.local 29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 smayhew.local unixgroup-ad.local 29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 nobody                   nobody                        29 Sep 23 18:01 written-by-zoidberg

Likewise, if I set the NFSv4 domain on the vserver to 'smayhew.local':

cluster1::*> vserver nfs modify -vserver vs0 -v4-id-domain smayhew.local

and clear the cached mappings again:

[root@rhel6client ~]# nfsidmap -c
nfsidmap: clearing '1fd3cb96 I--Q---     1 perm 3f3f0000     0     0 keyring   _child_1: 72/72'
nfsidmap: clearing '3fa99574 I------     1 perm 1f030000     0     0 keyring   .id_resolver: 1/4'

Then we're only able to map the users in the 'smayhew.local' domain:

[smayhew.local@rhel6client ~]$ ls -l /mnt/t
total 0
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 betty  unixgroup-smayhew 29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 fred   unixgroup-smayhew 29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 wilma  unixgroup-smayhew 29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-zoidberg
[smayhew.local@rhel6client ~]$

Comment 7 Scott Mayhew 2016-09-28 19:38:49 UTC

I set up a 4-node Isilon cluster and did some really basic testing and confirmed my test package helps:

[root@rhel6client ~]# mount -o v4,sec=krb5 isilon.lab.smayhew.local:/ifs /mnt/t
[root@rhel6client ~]# grep krb5 /proc/mounts
isilon.lab.smayhew.local:/ifs/ /mnt/t nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.10.179.110,minorversion=0,local_lock=none,addr=10.10.180.181 0 0
[root@rhel6client ~]# ls -l /mnt/t
total 132
-rw-rw-r--. 1 bender.local unixgroup-lab.local   29 Sep 28 09:40 bender.txt
drwxrwxrwx. 3 nobody                   nobody                            32 Sep 27 12:00 data
-rw-r--r--. 1 fred       unixgroup-smayhew   29 Sep 28 09:40 fred.txt
drwxrwxr-x. 4 nobody                   nobody                            44 Sep 27 11:55 home
-rw-rw-r--. 1 homer.local   unixgroup-ad.local     29 Sep 28 09:39 homer.txt
-rw-r--r--. 1 nobody                   nobody                          1029 Sep 27 11:55 README.txt
-rw-rw-r--. 1 smayhew.local unixgroup-ad.local     29 Sep 28 09:32 smayhew.txt


The nobody user happens to be root and the nobody group is wheel... I still need to figure out how/if we should handle local users too.

Also my code triggers a segfault when the isilon sends 'localhost' as the domain (which is its default)... so I have some bugs somewhere.

Comment 8 Scott Mayhew 2016-09-29 21:29:18 UTC

So... while I was researching what packages might have dependencies on libnfsidmap, I discovered that there's an idmap plugin provided by sssd that pretty much already does what I'm trying to do.  All I had to do was add "sss" to the Method line in my idmapd.conf.

[root@rhel7client ~]# egrep -v "^(#|$)" /etc/idmapd.conf
[General]
Domain = smayhew.local
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = sss,nsswitch

It seems to work well with both the Isilon and Windows servers.

[root@rhel7client ~]# mount -o v4,sec=krb5 isilon.lab.smayhew.local:/ifs /mnt/t
[root@rhel7client ~]# ls -l /mnt/t
total 514
-rw-rw-r--. 1 amy.local       unixgroup-lab.local   29 Sep 29 17:15 amy.txt
-rw-r--r--. 1 barney        unixgroup-smayhew   29 Sep 29 17:15 barney.txt
-rw-rw-r--. 1 bart.local       unixgroup-ad.local     29 Sep 29 17:16 bart.txt
-rw-rw-r--. 1 bender.local    unixgroup-lab.local   29 Sep 29 17:16 bender.txt
-rw-r--r--. 1 betty         unixgroup-smayhew   29 Sep 29 17:16 betty.txt
drwxrwxrwx. 3 root                        wheel                             32 Sep 27 12:00 data
-rw-r--r--. 1 fred          unixgroup-smayhew   29 Sep 29 17:16 fred.txt
-rw-rw-r--. 1 fry.local       unixgroup-lab.local   29 Sep 29 17:17 fry.txt
-rw-rw-r--. 1 hermes.local    unixgroup-lab.local   29 Sep 29 17:17 hermes.txt
drwxrwxr-x. 4 root                        wheel                             44 Sep 27 11:55 home
-rw-rw-r--. 1 homer.local      unixgroup-ad.local     29 Sep 29 17:17 homer.txt
-rw-rw-r--. 1 kif.local       unixgroup-lab.local   29 Sep 29 17:18 kif.txt
-rw-rw-r--. 1 leela.local     unixgroup-lab.local   29 Sep 29 17:18 leela.txt
-rw-rw-r--. 1 lisa.local       unixgroup-ad.local     29 Sep 29 17:18 lisa.txt
-rw-rw-r--. 1 maggie.local     unixgroup-ad.local     29 Sep 29 17:18 maggie.txt
-rw-rw-r--. 1 marge.local      unixgroup-ad.local     29 Sep 29 17:19 marge.txt
-rw-rw-r--. 1 professor.local unixgroup-lab.local   29 Sep 29 17:19 professor.txt
-rw-r--r--. 1 root                        wheel                           1029 Sep 27 11:55 README.txt
-rw-rw-r--. 1 smayhew.local    unixgroup-ad.local     29 Sep 29 17:19 smayhew.txt
-rw-r--r--. 1 wilma         unixgroup-smayhew   29 Sep 29 17:20 wilma.txt
-rw-rw-r--. 1 zapp.local      unixgroup-lab.local   29 Sep 29 17:20 zapp.txt
-rw-rw-r--. 1 zoidberg.local  unixgroup-lab.local   29 Sep 29 17:20 zoidberg.txt

[root@rhel7client ~]# umount /mnt/t
[root@rhel7client ~]# mount -o v4.1,sec=krb5 win2012r2-3.lab.smayhew.local:/Export /mnt/t
[root@rhel7client ~]# nfsidmap -c
[root@rhel7client ~]# ls -l /mnt/t
total 10
-rw-rw-r--. 1 amy.local       domain users.local 29 Sep 26 15:22 written-by-amy
-rw-r--r--. 1 barney        domain users     29 Sep 26 15:22 written-by-barney
-rw-rw-r--. 1 bart.local       domain users.local  29 Sep 26 15:22 written-by-bart
-rw-rw-r--. 1 bender.local    domain users.local 29 Sep 26 15:22 written-by-bender
-rw-r--r--. 1 betty         domain users     29 Sep 26 15:22 written-by-betty
-rw-r--r--. 1 fred          domain users     29 Sep 26 15:22 written-by-fred
-rw-rw-r--. 1 fry.local       domain users.local 29 Sep 26 15:23 written-by-fry
-rw-rw-r--. 1 hermes.local    domain users.local 29 Sep 26 15:22 written-by-hermes
-rw-rw-r--. 1 homer.local      domain users.local  29 Sep 26 15:22 written-by-homer
-rw-rw-r--. 1 jstephen.local   domain users.local  29 Sep 26 15:22 written-by-jstephen
-rw-rw-r--. 1 kif.local       domain users.local 29 Sep 26 15:23 written-by-kif
-rw-rw-r--. 1 leela.local     domain users.local 29 Sep 26 15:23 written-by-leela
-rw-rw-r--. 1 lisa.local       domain users.local  29 Sep 26 15:22 written-by-lisa
-rw-rw-r--. 1 maggie.local     domain users.local  29 Sep 26 15:22 written-by-maggie
-rw-rw-r--. 1 marge.local      domain users.local  29 Sep 26 15:22 written-by-marge
-rw-rw-r--. 1 professor.local domain users.local 29 Sep 26 15:23 written-by-professor
-rw-rw-r--. 1 smayhew.local    domain users.local  29 Sep 26 15:22 written-by-smayhew
-rw-r--r--. 1 wilma         domain users     29 Sep 26 15:22 written-by-wilma
-rw-rw-r--. 1 zapp.local      domain users.local 29 Sep 26 15:23 written-by-zapp
-rw-rw-r--. 1 zoidberg.local  domain users.local 29 Sep 26 15:23 written-by-zoidberg

Not so much w/ the Netapp...

[root@rhel7client ~]# umount /mnt/t
[root@rhel7client ~]# mount -o v4,sec=krb5 vs0.lab.smayhew.local:/vol2 /mnt/t
[root@rhel7client ~]# nfsidmap -c
[root@rhel7client ~]# ls -l /mnt/t
total 0
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-amy
-rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 23 17:58 written-by-barney
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-bart
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-bender
-rw-r--r--. 1 betty  unixgroup-smayhew 29 Sep 23 17:58 written-by-betty
-rw-r--r--. 1 fred   unixgroup-smayhew 29 Sep 23 17:57 written-by-fred
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-fry
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-hermes
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:58 written-by-homer
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-kif
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-leela
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-lisa
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-maggie
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 17:59 written-by-marge
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:02 written-by-professor
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:00 written-by-smayhew
-rw-r--r--. 1 wilma  unixgroup-smayhew 29 Sep 23 17:57 written-by-wilma
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:03 written-by-zapp
-rw-r--r--. 1 nobody               nobody                          29 Sep 23 18:01 written-by-zoidberg

Comment 9 Scott Mayhew 2016-09-29 21:31:23 UTC

[root@rhel7client ~]# rpm -qf /usr/lib64/libnfsidmap/sss.so
sssd-common-1.13.0-40.el7_2.12.x86_64

[root@rhel7client ~]# rpm -qd sssd-common | grep idmap
/usr/share/man/man5/sss_rpcidmapd.5.gz

Comment 12 Scott Mayhew 2016-10-19 19:19:09 UTC

Created attachment 1212241 [details]
updated patch

Updated patch.  
1. Moved multi domain logic into its own plugin.  This allows us to fall back on the logic to strip the domain if the lookup w/ the fully-qualified name fails (I tried doing it all within the nsswitch plugin but it got too messy).
2. Added an option to work around a quirk the exists in winbind where if you do a group lookup using UPN format, the resulting group name looks a little 'weird', e.g.
-rw-rw-r--. 1 LAB\amy        LAB.SMAYHEW.LOCAL\unixgroup-lab   29 Sep 29 17:15 amy.txt

instead of
-rw-rw-r--. 1 LAB\amy        LAB\unixgroup-lab           29 Sep 29 17:15 amy.txt
3. Added a separate config section for the multi domain options.
4. Added documentation to both the sample idmapd.conf and the idmapd.conf(5) man page.

Comment 16 Scott Mayhew 2017-01-06 15:47:42 UTC

Created attachment 1238015 [details]
final patch

Attaching the version of the patch that was merged in the upstream libnfsidmap git repo.

Comment 18 Steve Dickson 2017-01-10 18:37:59 UTC

upstream commit 

commit 4db1bb1c462389848168a4b79723a6d2ae38f422
Author: Scott Mayhew <smayhew>
Date:   Wed Dec 21 14:43:24 2016 -0500

    libnfsidmap: add options to aid id mapping in multi domain environments

Comment 23 ChunYu Wang 2017-01-26 06:01:21 UTC

(In reply to Scott Mayhew from comment #22)
Thanks, Scott,

Currently, we can not reproduce this scene in our environment with both RHEL 6/7 and Windows 2012R2/2016 Server, but with your test results in comment 20 and Bug 1410855, we can ensure your patch will be effective in this scene, I will verify it with "Sanity Only" first and keep an eye on whether it reproduces during other idmap related tests.

Comment 24 ChunYu Wang 2017-01-26 06:56:24 UTC

Moved to ON_QA again, will provide more regression test results later.

Comment 30 Colin.Simpson 2017-04-26 15:04:30 UTC

We have this issue too. Again with Windows 2012 NFS servers seemingly not allowing you to set the NFSv4 domain name.

This option seems to "No-Strip=both" seems to workaround this on RHEL6.9 and F25. So it would be nice to see this on RHEL7.  I guess we are lucky that "user.NAME" can be resolved for us directly by NSS.

Any test package out there to try?

Comment 31 ChunYu Wang 2017-04-27 03:11:45 UTC

(In reply to Colin Simpson from comment #30)
Hi, Colin,

> We have this issue too. Again with Windows 2012 NFS servers seemingly not
> allowing you to set the NFSv4 domain name.

Did you choose a Windows node as an NFS Server or just include it as an AD DC?

> Any test package out there to try?

You can try to include the patch listed in the Attachment field of this Bug if you need to try this function, feel free to get down to me if I can offer more help.

Thanks,
ChunYu Wang

Comment 32 Colin.Simpson 2017-04-27 09:10:52 UTC

(In reply to ChunYu Wang from comment #31)
> (In reply to Colin Simpson from comment #30)
> Hi, Colin,
> 
> > We have this issue too. Again with Windows 2012 NFS servers seemingly not
> > allowing you to set the NFSv4 domain name.
> 
> Did you choose a Windows node as an NFS Server or just include it as an AD
> DC?

All our Linux systems are joined to AD for Authentication and Directory Services. 
The windows machine we use for NFS is a member server of the domain. We have however a multidomain environment.


> 
> > Any test package out there to try?
> 
> You can try to include the patch listed in the Attachment field of this Bug
> if you need to try this function, feel free to get down to me if I can offer
> more help.
> 
> Thanks,
> ChunYu Wang
The patch isn't really the issue for testing. As we can see this new flags working for us on RHEL 6.9 and Fedora 25 clients to this Windows 2012R2 NFS server. 

So we really just need a release on RHEL7 to allow us to deploy NFSv4 from Windows 2012 (currently using NFSv3).

Comment 35 Josip Vilicic 2017-06-16 16:54:37 UTC

Hi Yongcheng,

I believe it would just be a matter of enabling the RHEL 7 Beta RPMs repo:

   # subscription-manager repos --enable rhel-7-server-beta-rpms

The latest version (libnfsidmap-0.25-17.el7.x86_64.rpm) is available for direct download at the link below, but I'm not sure if you will need to resolve dependencies in your environment: 

   https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.4%20Beta/x86_64/packages

So enabling the Beta RPMs repo and downloading from there would be the better solution, but I'll include that rpm in case 01699716 in case just that one package works.

Take care,

Jo Vilicic
irc: jo -- jvilicic
TSE  --  IdM  --  919-754-4951

Comment 39 Yongcheng Yang 2017-07-10 01:29:05 UTC

(In reply to Steve Dickson from comment #18)

One more upstream commit is merged into Release 17:

commit ba7daebba65dc4b1adfac9c8c61f373d6c394673
Author: Scott Mayhew <smayhew>
Date:   Wed Feb 8 08:40:38 2017 -0500

    nss_gss_princ_to_ids() and nss_gss_princ_to_grouplist() must strip the realm

Comment 40 Yongcheng Yang 2017-07-10 01:30:48 UTC

Moving to VERIFIED again according to comment #23 as we are finishing 7.4 now.

Please open another bug for anything new. Thanks in advance.

Comment 41 Colin.Simpson 2017-07-10 09:27:12 UTC

I'm confused. Has this fix made it into RHEL7.4?

Comment 44 errata-xmlrpc 2017-08-01 17:52:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1857

Note You need to log in before you can comment on or make changes to this bug.