Hide Forgot
Description of problem: NFSv4 id mapping on Linux does not work well in multi-domain environments. RFCs 3530, 5661, and 7530 all describe the fattr4_owner and fattr4_owner_group strings in the form "user@dns_domain". The Linux libnfsidmap nssswitch plugin currently treats that domain as an arbitrary string. As long as the domain part of the incoming string matches the Domain parameter of the idmapd.conf, the plugin strips off the domain and does a getpwnam() with what's left over. When a Linux machine is joined to an environment involving multiple Active Directory domains, it is usually necessary for usernames to be qualified with the domain, either in a user principal format (e.g. "smayhew.com") or a down-level logon name format (e.g. "AD\smayhew"). When an environment with just Linux NFS clients and servers, the machines will all use this format the libnfsimap plugin will automatically format the username in one of these two forms, because libnfsidmap is just using the name that is returned from getpwuid()... so in the above example, if the NFSv4 domain in idmapd.conf is configured as "example.com", the full fattr4_owner might appear as "smayhew.com" if the machines are using SSSD, and "AD\smayhew" if they're using Winbind. The problem is that Linux is in the minority here. Ontap 8.3 maps a uid to a short username and then appends the NFSv4 id mapping domain to that. The nsswitch plugin is unable to map those, because once it strips off the domain it will be unable to resolve the short username. It's possible to configure the Linux clients that are using SSSD to be able to use the short usernames by turning off the subdomains_provider and explicitly adding stanzas for each trusted domain in the sssd.conf. This works as long as each username & uid is unique across all the trusted domains. For example if you have subdomains "na", "emea", and "apac", then it will not work (or rather it will be unpredictable) if each of those domains has an "smayhew" user... but otherwise it will work. That solution will not work for other NFS servers though. The NFS v4.1 server in Microsoft Windows does not appear to allow the NFSv4 domain to be configured at all. It just sends the names in UPN format, so it's essentially treating the AD domain as the NFSv4 domain. The Windows NFS v4.1 server is therefore capable of working with multiple domains. Since the current libnfsidmap nsswitch plugin only allows a single domain to be configured, it's only able to map users from that single domain. EMC Isilon servers also appear to be capable of using multiple domains. It is unclear whether these domains are explicitly configured in the Isilon's id mapper or if it's using the AD domain as the NFSv4 domain. Either way, the current libnfsidmap plugin only allows a single domain to be configured, so it's only able to users from that domain. Version-Release number of selected component (if applicable): libnfsidmap (any version) How reproducible: Very reproducible, but it takes a lot of setup work. Steps to Reproduce: 1. Set up at least two AD domains and configure them to trust each other. 2. Join a RHEL NFS client to one of the domains. 3. Join some non-RHEL NFS server to the other domain (to be honest most of the breakage occurs even when the client and server belong to the same domains). 4. Attempt to use NFSv4 with id mapping enabled. Actual results: fattr4_owner and fattr4_owner_group strings are mapped to nobody. Expected results: fattr4_owner and fattr4_owner_group strings should be mapped to valid users and groups. Additional info: RFCs 3530/5661/7530 don't really say how multiple domain setups should work. RFC 5661 does say: The "dns_domain" portion of the owner string is meant to be a DNS domain name, for example, user. Servers should accept as valid a set of users for at least one domain. A server may treat other domains as having no valid translations. A more general service is provided when a server is capable of accepting users for multiple domains, or for all domains, subject to security constraints. This document does describe how multi-domain setups should work: https://datatracker.ietf.org/doc/draft-ietf-nfsv4-multi-domain-fs-reqs/ I think there are some changes that we can make to libnfsidmap to at least make it work better with the majority of the NFSv4 servers out there (and not break existing Linux-only behavior in the process).
Created attachment 1203887 [details] quick and dirty poc patch Really quick, and really dirty proof-of-concept patch. What it does is adds another parameter 'Domains' to the idmap.conf. That parameter takes (unsurprisingly) a list of domains, in much the same way the Local-Realms parameter works. The value specified in the Domain parameter does not have to be in the Domains list. When the Domains list is populated, the plugin does a few things: 1. For name-to-id mapping, it compares the domain in the attribute to the list of domains. If it's not in the list, it gets mapped to the uid for nobody. 2. If the domain in the attribute is in the list of domains, then that attibute is passed as-is to getpwnam() (or getgrnam() if its a group). IOW the domain is NOT stripped off. 3. For id-to-name mapping, after the getpwuid() (or getgrgid()) call, the domain in the result is compared to the Domains list... if it's not in the list, the the id is mapped to the nobody string... even if the name was otherwise resolved successfully. If the Domains list is empty, then the nsswitch plugin should behave as it did before (so the 'odd' format that some RHEL servers use like smayhew.com will still work). It's only been lightly tested, but it did work against Ontap 8.3.2. and Windows 2012r2 NFS servers. There's probably a lot of sharp edges (in fact I'm not even sure what it'll do on a system that's configured to only use short usernames).
Created attachment 1204973 [details] updated patch Changed 'Domains' parameter to 'Domain-List'. Added the same treatment to nss_name_to_gid() because I noticed group owners were still being mapped to nobody.
Example from a client using the above patch. In my test setup, I have 3 domains: smayhew.local,ad.smayhew.local, and lab.smayhew.local. My idmapd.conf looks like this: ---8<--- [General] Verbosity = 10 Domain = smayhew.local Domain-List = smayhew.local,ad.smayhew.local,lab.smayhew.local [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch ---8<--- Here's a test listing a directory from a Windows 2012 NFS server (from which RHEL also has problems mapping the names) that has files created by users from all 3 domains: [smayhew.local@rhel6client ~]$ sudo mount -o v4.1,sec=krb5 win2012r2-3.lab.smayhew.local:/Export /mnt/t [smayhew.local@rhel6client ~]$ ls -l /mnt/t total 10 -rw-rw-r--. 1 amy.local domain users.local 29 Sep 26 15:22 written-by-amy -rw-r--r--. 1 barney domain users 29 Sep 26 15:22 written-by-barney -rw-rw-r--. 1 bart.local domain users.local 29 Sep 26 15:22 written-by-bart -rw-rw-r--. 1 bender.local domain users.local 29 Sep 26 15:22 written-by-bender -rw-r--r--. 1 betty domain users 29 Sep 26 15:22 written-by-betty -rw-r--r--. 1 fred domain users 29 Sep 26 15:22 written-by-fred -rw-rw-r--. 1 fry.local domain users.local 29 Sep 26 15:23 written-by-fry -rw-rw-r--. 1 hermes.local domain users.local 29 Sep 26 15:22 written-by-hermes -rw-rw-r--. 1 homer.local domain users.local 29 Sep 26 15:22 written-by-homer -rw-rw-r--. 1 jstephen.local domain users.local 29 Sep 26 15:22 written-by-jstephen -rw-rw-r--. 1 kif.local domain users.local 29 Sep 26 15:23 written-by-kif -rw-rw-r--. 1 leela.local domain users.local 29 Sep 26 15:23 written-by-leela -rw-rw-r--. 1 lisa.local domain users.local 29 Sep 26 15:22 written-by-lisa -rw-rw-r--. 1 maggie.local domain users.local 29 Sep 26 15:22 written-by-maggie -rw-rw-r--. 1 marge.local domain users.local 29 Sep 26 15:22 written-by-marge -rw-rw-r--. 1 professor.local domain users.local 29 Sep 26 15:23 written-by-professor -rw-rw-r--. 1 smayhew.local domain users.local 29 Sep 26 15:22 written-by-smayhew -rw-r--r--. 1 wilma domain users 29 Sep 26 15:22 written-by-wilma -rw-rw-r--. 1 zapp.local domain users.local 29 Sep 26 15:23 written-by-zapp -rw-rw-r--. 1 zoidberg.local domain users.local 29 Sep 26 15:23 written-by-zoidberg
Unfortunately the patch doesn't help as much if the NFS server is running Ontap, since ontap only sends a single domain. For example, to start with I have the NFSv4 domain on the vserver set to 'lab.smayhew.local': cluster1::*> vserver nfs show -vserver vs0 -fields v4-id-domain vserver v4-id-domain ------- ----------------- vs0 lab.smayhew.local So we're only able to map users in the 'lab.smayhew.local' domain: [smayhew.local@rhel6client ~]$ ls -l /mnt/t total 0 -rw-r--r--. 1 amy.local unixgroup-lab.local 29 Sep 23 18:00 written-by-amy -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-barney -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-bart -rw-r--r--. 1 bender.local unixgroup-lab.local 29 Sep 23 18:01 written-by-bender -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-betty -rw-r--r--. 1 nobody nobody 29 Sep 23 17:57 written-by-fred -rw-r--r--. 1 fry.local unixgroup-lab.local 29 Sep 23 18:02 written-by-fry -rw-r--r--. 1 hermes.local unixgroup-lab.local 29 Sep 23 18:00 written-by-hermes -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-homer -rw-r--r--. 1 kif.local unixgroup-lab.local 29 Sep 23 18:02 written-by-kif -rw-r--r--. 1 leela.local unixgroup-lab.local 29 Sep 23 18:02 written-by-leela -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-lisa -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-maggie -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-marge -rw-r--r--. 1 professor.local unixgroup-lab.local 29 Sep 23 18:02 written-by-professor -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-smayhew -rw-r--r--. 1 nobody nobody 29 Sep 23 17:57 written-by-wilma -rw-r--r--. 1 zapp.local unixgroup-lab.local 29 Sep 23 18:03 written-by-zapp -rw-r--r--. 1 zoidberg.local unixgroup-lab.local 29 Sep 23 18:01 written-by-zoidberg If I set the NFSv4 domain on the vserver to 'ad.smayhew.local': cluster1::*> vserver nfs modify -vserver vs0 -v4-id-domain ad.smayhew.local and clear the cached mappings on the client: [root@rhel6client ~]# nfsidmap -c nfsidmap: clearing '138b18d8 I--Q--- 1 perm 3f3f0000 0 0 keyring _child_1: empty' nfsidmap: clearing '3fa99574 I------ 1 perm 1f030000 0 0 keyring .id_resolver: 1/4' Then we're only able to map users in the 'ad.smayhew.local' domain: [smayhew.local@rhel6client ~]$ ls -l /mnt/t total 0 -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-amy -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-barney -rw-r--r--. 1 bart.local unixgroup-ad.local 29 Sep 23 17:59 written-by-bart -rw-r--r--. 1 nobody nobody 29 Sep 23 18:01 written-by-bender -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-betty -rw-r--r--. 1 nobody nobody 29 Sep 23 17:57 written-by-fred -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-fry -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-hermes -rw-r--r--. 1 homer.local unixgroup-ad.local 29 Sep 23 17:58 written-by-homer -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-kif -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-leela -rw-r--r--. 1 lisa.local unixgroup-ad.local 29 Sep 23 17:59 written-by-lisa -rw-r--r--. 1 maggie.local unixgroup-ad.local 29 Sep 23 17:59 written-by-maggie -rw-r--r--. 1 marge.local unixgroup-ad.local 29 Sep 23 17:59 written-by-marge -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-professor -rw-r--r--. 1 smayhew.local unixgroup-ad.local 29 Sep 23 18:00 written-by-smayhew -rw-r--r--. 1 nobody nobody 29 Sep 23 17:57 written-by-wilma -rw-r--r--. 1 nobody nobody 29 Sep 23 18:03 written-by-zapp -rw-r--r--. 1 nobody nobody 29 Sep 23 18:01 written-by-zoidberg Likewise, if I set the NFSv4 domain on the vserver to 'smayhew.local': cluster1::*> vserver nfs modify -vserver vs0 -v4-id-domain smayhew.local and clear the cached mappings again: [root@rhel6client ~]# nfsidmap -c nfsidmap: clearing '1fd3cb96 I--Q--- 1 perm 3f3f0000 0 0 keyring _child_1: 72/72' nfsidmap: clearing '3fa99574 I------ 1 perm 1f030000 0 0 keyring .id_resolver: 1/4' Then we're only able to map the users in the 'smayhew.local' domain: [smayhew.local@rhel6client ~]$ ls -l /mnt/t total 0 -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-amy -rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 23 17:58 written-by-barney -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-bart -rw-r--r--. 1 nobody nobody 29 Sep 23 18:01 written-by-bender -rw-r--r--. 1 betty unixgroup-smayhew 29 Sep 23 17:58 written-by-betty -rw-r--r--. 1 fred unixgroup-smayhew 29 Sep 23 17:57 written-by-fred -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-fry -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-hermes -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-homer -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-kif -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-leela -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-lisa -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-maggie -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-marge -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-professor -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-smayhew -rw-r--r--. 1 wilma unixgroup-smayhew 29 Sep 23 17:57 written-by-wilma -rw-r--r--. 1 nobody nobody 29 Sep 23 18:03 written-by-zapp -rw-r--r--. 1 nobody nobody 29 Sep 23 18:01 written-by-zoidberg [smayhew.local@rhel6client ~]$
I set up a 4-node Isilon cluster and did some really basic testing and confirmed my test package helps: [root@rhel6client ~]# mount -o v4,sec=krb5 isilon.lab.smayhew.local:/ifs /mnt/t [root@rhel6client ~]# grep krb5 /proc/mounts isilon.lab.smayhew.local:/ifs/ /mnt/t nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.10.179.110,minorversion=0,local_lock=none,addr=10.10.180.181 0 0 [root@rhel6client ~]# ls -l /mnt/t total 132 -rw-rw-r--. 1 bender.local unixgroup-lab.local 29 Sep 28 09:40 bender.txt drwxrwxrwx. 3 nobody nobody 32 Sep 27 12:00 data -rw-r--r--. 1 fred unixgroup-smayhew 29 Sep 28 09:40 fred.txt drwxrwxr-x. 4 nobody nobody 44 Sep 27 11:55 home -rw-rw-r--. 1 homer.local unixgroup-ad.local 29 Sep 28 09:39 homer.txt -rw-r--r--. 1 nobody nobody 1029 Sep 27 11:55 README.txt -rw-rw-r--. 1 smayhew.local unixgroup-ad.local 29 Sep 28 09:32 smayhew.txt The nobody user happens to be root and the nobody group is wheel... I still need to figure out how/if we should handle local users too. Also my code triggers a segfault when the isilon sends 'localhost' as the domain (which is its default)... so I have some bugs somewhere.
So... while I was researching what packages might have dependencies on libnfsidmap, I discovered that there's an idmap plugin provided by sssd that pretty much already does what I'm trying to do. All I had to do was add "sss" to the Method line in my idmapd.conf. [root@rhel7client ~]# egrep -v "^(#|$)" /etc/idmapd.conf [General] Domain = smayhew.local [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = sss,nsswitch It seems to work well with both the Isilon and Windows servers. [root@rhel7client ~]# mount -o v4,sec=krb5 isilon.lab.smayhew.local:/ifs /mnt/t [root@rhel7client ~]# ls -l /mnt/t total 514 -rw-rw-r--. 1 amy.local unixgroup-lab.local 29 Sep 29 17:15 amy.txt -rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 29 17:15 barney.txt -rw-rw-r--. 1 bart.local unixgroup-ad.local 29 Sep 29 17:16 bart.txt -rw-rw-r--. 1 bender.local unixgroup-lab.local 29 Sep 29 17:16 bender.txt -rw-r--r--. 1 betty unixgroup-smayhew 29 Sep 29 17:16 betty.txt drwxrwxrwx. 3 root wheel 32 Sep 27 12:00 data -rw-r--r--. 1 fred unixgroup-smayhew 29 Sep 29 17:16 fred.txt -rw-rw-r--. 1 fry.local unixgroup-lab.local 29 Sep 29 17:17 fry.txt -rw-rw-r--. 1 hermes.local unixgroup-lab.local 29 Sep 29 17:17 hermes.txt drwxrwxr-x. 4 root wheel 44 Sep 27 11:55 home -rw-rw-r--. 1 homer.local unixgroup-ad.local 29 Sep 29 17:17 homer.txt -rw-rw-r--. 1 kif.local unixgroup-lab.local 29 Sep 29 17:18 kif.txt -rw-rw-r--. 1 leela.local unixgroup-lab.local 29 Sep 29 17:18 leela.txt -rw-rw-r--. 1 lisa.local unixgroup-ad.local 29 Sep 29 17:18 lisa.txt -rw-rw-r--. 1 maggie.local unixgroup-ad.local 29 Sep 29 17:18 maggie.txt -rw-rw-r--. 1 marge.local unixgroup-ad.local 29 Sep 29 17:19 marge.txt -rw-rw-r--. 1 professor.local unixgroup-lab.local 29 Sep 29 17:19 professor.txt -rw-r--r--. 1 root wheel 1029 Sep 27 11:55 README.txt -rw-rw-r--. 1 smayhew.local unixgroup-ad.local 29 Sep 29 17:19 smayhew.txt -rw-r--r--. 1 wilma unixgroup-smayhew 29 Sep 29 17:20 wilma.txt -rw-rw-r--. 1 zapp.local unixgroup-lab.local 29 Sep 29 17:20 zapp.txt -rw-rw-r--. 1 zoidberg.local unixgroup-lab.local 29 Sep 29 17:20 zoidberg.txt [root@rhel7client ~]# umount /mnt/t [root@rhel7client ~]# mount -o v4.1,sec=krb5 win2012r2-3.lab.smayhew.local:/Export /mnt/t [root@rhel7client ~]# nfsidmap -c [root@rhel7client ~]# ls -l /mnt/t total 10 -rw-rw-r--. 1 amy.local domain users.local 29 Sep 26 15:22 written-by-amy -rw-r--r--. 1 barney domain users 29 Sep 26 15:22 written-by-barney -rw-rw-r--. 1 bart.local domain users.local 29 Sep 26 15:22 written-by-bart -rw-rw-r--. 1 bender.local domain users.local 29 Sep 26 15:22 written-by-bender -rw-r--r--. 1 betty domain users 29 Sep 26 15:22 written-by-betty -rw-r--r--. 1 fred domain users 29 Sep 26 15:22 written-by-fred -rw-rw-r--. 1 fry.local domain users.local 29 Sep 26 15:23 written-by-fry -rw-rw-r--. 1 hermes.local domain users.local 29 Sep 26 15:22 written-by-hermes -rw-rw-r--. 1 homer.local domain users.local 29 Sep 26 15:22 written-by-homer -rw-rw-r--. 1 jstephen.local domain users.local 29 Sep 26 15:22 written-by-jstephen -rw-rw-r--. 1 kif.local domain users.local 29 Sep 26 15:23 written-by-kif -rw-rw-r--. 1 leela.local domain users.local 29 Sep 26 15:23 written-by-leela -rw-rw-r--. 1 lisa.local domain users.local 29 Sep 26 15:22 written-by-lisa -rw-rw-r--. 1 maggie.local domain users.local 29 Sep 26 15:22 written-by-maggie -rw-rw-r--. 1 marge.local domain users.local 29 Sep 26 15:22 written-by-marge -rw-rw-r--. 1 professor.local domain users.local 29 Sep 26 15:23 written-by-professor -rw-rw-r--. 1 smayhew.local domain users.local 29 Sep 26 15:22 written-by-smayhew -rw-r--r--. 1 wilma domain users 29 Sep 26 15:22 written-by-wilma -rw-rw-r--. 1 zapp.local domain users.local 29 Sep 26 15:23 written-by-zapp -rw-rw-r--. 1 zoidberg.local domain users.local 29 Sep 26 15:23 written-by-zoidberg Not so much w/ the Netapp... [root@rhel7client ~]# umount /mnt/t [root@rhel7client ~]# mount -o v4,sec=krb5 vs0.lab.smayhew.local:/vol2 /mnt/t [root@rhel7client ~]# nfsidmap -c [root@rhel7client ~]# ls -l /mnt/t total 0 -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-amy -rw-r--r--. 1 barney unixgroup-smayhew 29 Sep 23 17:58 written-by-barney -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-bart -rw-r--r--. 1 nobody nobody 29 Sep 23 18:01 written-by-bender -rw-r--r--. 1 betty unixgroup-smayhew 29 Sep 23 17:58 written-by-betty -rw-r--r--. 1 fred unixgroup-smayhew 29 Sep 23 17:57 written-by-fred -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-fry -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-hermes -rw-r--r--. 1 nobody nobody 29 Sep 23 17:58 written-by-homer -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-kif -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-leela -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-lisa -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-maggie -rw-r--r--. 1 nobody nobody 29 Sep 23 17:59 written-by-marge -rw-r--r--. 1 nobody nobody 29 Sep 23 18:02 written-by-professor -rw-r--r--. 1 nobody nobody 29 Sep 23 18:00 written-by-smayhew -rw-r--r--. 1 wilma unixgroup-smayhew 29 Sep 23 17:57 written-by-wilma -rw-r--r--. 1 nobody nobody 29 Sep 23 18:03 written-by-zapp -rw-r--r--. 1 nobody nobody 29 Sep 23 18:01 written-by-zoidberg
[root@rhel7client ~]# rpm -qf /usr/lib64/libnfsidmap/sss.so sssd-common-1.13.0-40.el7_2.12.x86_64 [root@rhel7client ~]# rpm -qd sssd-common | grep idmap /usr/share/man/man5/sss_rpcidmapd.5.gz
Created attachment 1212241 [details] updated patch Updated patch. 1. Moved multi domain logic into its own plugin. This allows us to fall back on the logic to strip the domain if the lookup w/ the fully-qualified name fails (I tried doing it all within the nsswitch plugin but it got too messy). 2. Added an option to work around a quirk the exists in winbind where if you do a group lookup using UPN format, the resulting group name looks a little 'weird', e.g. -rw-rw-r--. 1 LAB\amy LAB.SMAYHEW.LOCAL\unixgroup-lab 29 Sep 29 17:15 amy.txt instead of -rw-rw-r--. 1 LAB\amy LAB\unixgroup-lab 29 Sep 29 17:15 amy.txt 3. Added a separate config section for the multi domain options. 4. Added documentation to both the sample idmapd.conf and the idmapd.conf(5) man page.
Created attachment 1238015 [details] final patch Attaching the version of the patch that was merged in the upstream libnfsidmap git repo.
upstream commit commit 4db1bb1c462389848168a4b79723a6d2ae38f422 Author: Scott Mayhew <smayhew> Date: Wed Dec 21 14:43:24 2016 -0500 libnfsidmap: add options to aid id mapping in multi domain environments
(In reply to Scott Mayhew from comment #22) Thanks, Scott, Currently, we can not reproduce this scene in our environment with both RHEL 6/7 and Windows 2012R2/2016 Server, but with your test results in comment 20 and Bug 1410855, we can ensure your patch will be effective in this scene, I will verify it with "Sanity Only" first and keep an eye on whether it reproduces during other idmap related tests.
Moved to ON_QA again, will provide more regression test results later.
We have this issue too. Again with Windows 2012 NFS servers seemingly not allowing you to set the NFSv4 domain name. This option seems to "No-Strip=both" seems to workaround this on RHEL6.9 and F25. So it would be nice to see this on RHEL7. I guess we are lucky that "user.NAME" can be resolved for us directly by NSS. Any test package out there to try?
(In reply to Colin Simpson from comment #30) Hi, Colin, > We have this issue too. Again with Windows 2012 NFS servers seemingly not > allowing you to set the NFSv4 domain name. Did you choose a Windows node as an NFS Server or just include it as an AD DC? > Any test package out there to try? You can try to include the patch listed in the Attachment field of this Bug if you need to try this function, feel free to get down to me if I can offer more help. Thanks, ChunYu Wang
(In reply to ChunYu Wang from comment #31) > (In reply to Colin Simpson from comment #30) > Hi, Colin, > > > We have this issue too. Again with Windows 2012 NFS servers seemingly not > > allowing you to set the NFSv4 domain name. > > Did you choose a Windows node as an NFS Server or just include it as an AD > DC? All our Linux systems are joined to AD for Authentication and Directory Services. The windows machine we use for NFS is a member server of the domain. We have however a multidomain environment. > > > Any test package out there to try? > > You can try to include the patch listed in the Attachment field of this Bug > if you need to try this function, feel free to get down to me if I can offer > more help. > > Thanks, > ChunYu Wang The patch isn't really the issue for testing. As we can see this new flags working for us on RHEL 6.9 and Fedora 25 clients to this Windows 2012R2 NFS server. So we really just need a release on RHEL7 to allow us to deploy NFSv4 from Windows 2012 (currently using NFSv3).
Hi Yongcheng, I believe it would just be a matter of enabling the RHEL 7 Beta RPMs repo: # subscription-manager repos --enable rhel-7-server-beta-rpms The latest version (libnfsidmap-0.25-17.el7.x86_64.rpm) is available for direct download at the link below, but I'm not sure if you will need to resolve dependencies in your environment: https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.4%20Beta/x86_64/packages So enabling the Beta RPMs repo and downloading from there would be the better solution, but I'll include that rpm in case 01699716 in case just that one package works. Take care, Jo Vilicic irc: jo -- jvilicic TSE -- IdM -- 919-754-4951
(In reply to Steve Dickson from comment #18) One more upstream commit is merged into Release 17: commit ba7daebba65dc4b1adfac9c8c61f373d6c394673 Author: Scott Mayhew <smayhew> Date: Wed Feb 8 08:40:38 2017 -0500 nss_gss_princ_to_ids() and nss_gss_princ_to_grouplist() must strip the realm
Moving to VERIFIED again according to comment #23 as we are finishing 7.4 now. Please open another bug for anything new. Thanks in advance.
I'm confused. Has this fix made it into RHEL7.4?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1857