Bug 1466109 - [GSS] idmapper is squashing uid to some random uid in nfs-ganesha [NEEDINFO]
[GSS] idmapper is squashing uid to some random uid in nfs-ganesha
Status: ASSIGNED
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: nfs-ganesha (Show other bugs)
3.2
All All
medium Severity medium
: ---
: ---
Assigned To: Kaleb KEITHLEY
surabhi
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-29 01:07 EDT by Riyas Abdulrasak
Modified: 2017-12-20 08:34 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bkunal: needinfo? (psony)


Attachments (Terms of Use)

  None (edit)
Description Riyas Abdulrasak 2017-06-29 01:07:29 EDT
Description of problem:

idmapper is not properly mapping uids when nfsv4(nfs-ganesh) is used in RHGS 3.2. 

The "Domain" mentioned in idmap.conf is same on both the client and the server. 

Version-Release number of selected component (if applicable):

RHGS 3.2
libnfsidmap-0.25-15.el7.x86_64

How reproducible:

Reproducible at customer environment


Steps to Reproduce:
1. Setup a nfs-ganesha cluster
2. Kerberize nfs-ganesha 
3. Mount the share on client and create files using a domain user

Actual results:

The uids getting squashed to an unknown uid


Expected results:

uids should be mapped correctly. 


Additional info:

- We have collected NFS ganesha debug logs, configuration files and the tcpdump. I will attach these to bz. 

- A snip from the logs 

~~~~
29/06/2017 11:30:04 : epoch 54100000 : server.example.com : ganesha.nfsd-86527[work-46] nfs_req_creds :ID MAPPER :WARN :Could not map principal user1@example.com to uid
29/06/2017 11:30:04 : epoch 54100000 : server.example.com : ganesha.nfsd-86527[work-46] xdr_encode_nfs4_princ :ID MAPPER :INFO :nfs4_uid_to_name failed with code -2.
29/06/2017 11:30:04 : epoch 54100000 : server.example.com : ganesha.nfsd-86527[work-46] xdr_encode_nfs4_princ :ID MAPPER :INFO :Lookup for -2 failed, using numeric owner
29/06/2017 11:30:04 : epoch 54100000 : server.example.com : ganesha.nfsd-86527[work-46] xdr_encode_nfs4_princ :ID MAPPER :INFO :nfs4_gid_to_name failed with code -2
~~~~

- getent passwd user is properly giving uid from the client and the server. 

- "rpc.idmapd -f -vv" gives the same  domain name on both the nodes.
Comment 11 Frank Filz 2017-06-30 09:21:06 EDT
What are the respective idmapd.conf files? These issues are almost always something not right in idmapd.conf.

Is idmapd running on both client and server?

Any error logs from idmapd?

If absolutely necessary we can turn on Ganesha logging for idmapping, and also collect tcpdump of some simple operations, but most likely we can solve the problem by having the idmapd.conf files.
Comment 16 Frank Filz 2017-07-05 13:10:33 EDT
Hmm, I can't tell what credentials are in the kerberos ticket. That would be another thing to check since the ownership of a created file depends on the credentials the request comes in with (so that's actually before idmapping).
Comment 26 Daniel Gryniewicz 2017-07-24 09:55:21 EDT
use_getpwnam is false, so principal2uid() will always fail.  Try setting UseGetpwnam to true?
Comment 27 Daniel Gryniewicz 2017-07-24 09:57:26 EDT
Hmmm... I think that check should only be used if NFSIDMAP isn't in use, but it appears to be in use all the time.
Comment 37 Daniel Gryniewicz 2017-08-02 10:02:23 EDT
Did the customer try all settings being the same case?
Comment 38 Kaleb KEITHLEY 2017-08-16 08:50:24 EDT
need reproducer, unable to reproduce locally.
Comment 39 Prerna Sony 2017-09-08 06:18:00 EDT
@Kaleb, I am trying to reproduce this issue , but facing problems in creating this environment only. 

Do we need any further info/logs from customer?
Since it is getting very delayed, can we go on remote session with customer for live debugging if customer agrees , sometimes early next week?
Comment 40 Kaleb KEITHLEY 2017-09-08 07:58:27 EDT
I can join a call if necessary. Not sure I can add anything atm though.

Mike Flannery and John Call have been exchanging emails with Frank Filz about idmapping.

You need to install and run idmapd on all the systems and use the same config on the server and all the clients.

Maybe Mike can shed some light on the subject after his recent experiments?

Note You need to log in before you can comment on or make changes to this bug.