Bug 1662524 - Fail to open session "System error" when run command with a NIS user since distro RHEL-8.0-20181204.0
Summary: Fail to open session "System error" when run command with a NIS user since di...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nfs-utils
Version: 8.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 8.0
Assignee: Steve Dickson
QA Contact: Yongcheng Yang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-29 09:19 UTC by Yongcheng Yang
Modified: 2019-01-07 08:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-07 08:26:32 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Yongcheng Yang 2018-12-29 09:19:04 UTC
Description of problem:
Our nfs-over-nis case started to be failed after RHEL-8.0-20181120.0 (sorry for the late report). It might due to pakcage libnfsidmap (changing from 2.3.3-7.el8 to 2.3.3-8.el8) which has already been merged into nfs-utils (via Bug 1611343) now.

Version-Release number of selected component (if applicable):
since libnfsidmap-2.3.3-8.el8
      (nfs-utils-2.3.3-8.el8)

How reproducible:
always

Steps to Reproduce:
1. config as nis client
2. touch a file using nis-user

Actual results:
[05:23:42 root@ ~~]# id nis5000
uid=5000(nis5000) gid=5000(nis5000) groups=5000(nis5000)
[05:24:42 root@ ~~]# grep ^[^#] /etc/idmapd.conf
[General]
Domain = rhts.eng.bos.redhat.com
[Mapping]
[Translation]
 
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
[05:24:42 root@ ~~]# service_rpcidmapd restart
Redirecting to /bin/systemctl restart nfs-idmapd.service
[05:24:43 root@ ~~]# mount -vvv kvm-02-guest23.rhts.eng.bos.redhat.com:/exports/home /mnt/nfs-nis-idmap
mount.nfs: timeout set for Fri Dec 28 05:26:43 2018
mount.nfs: trying text-based options 'vers=4.2,addr=10.16.68.129,clientaddr=10.16.68.131'
[05:24:43 root@ ~~]# su nis5000 --session-command=" touch /mnt/${TESTNAME}/foo-${TESTNAME}-client "
su: cannot open session: System error
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[05:24:43 root@ ~~]# echo $?
1

Expected results:
succeed to touch file


Additional info:
N/A

Comment 1 Yongcheng Yang 2018-12-29 13:30:41 UTC
Sorry, looks like it isn't due to libnfsidmap.
Just find this test case:
- good in RHEL-8.0-20181120.0
- fail in RHEL-8.0-20181204.0 (and ever since)

As:

# https://beaker.engineering.redhat.com/jobs/3264835
- pass on nfs server with RHEL-8.0-20181120.0
- fail on nfs client with RHEL-8.0-20181204.0

# https://beaker.engineering.redhat.com/jobs/3264828
- fail on nfs server with RHEL-8.0-20181204.0
- pass on nfs client with RHEL-8.0-20181120.0

> Version-Release number of selected component (if applicable):
> since libnfsidmap-2.3.3-8.el8
>       (nfs-utils-2.3.3-8.el8)

Please ignore above info.

But curiously I can't find any related packages which are different between the 2 distro:
- packages within RHEL-8.0-20181120.0:
	libnfsidmap-2.3.3-7.el8.x86_64
	libsss_idmap-2.0.0-23.el8.x86_64
	libtirpc-1.1.4-3.el8.x86_64
	nfs-utils-2.3.3-7.el8.x86_64
	rpcbind-1.2.5-3.el8.x86_64
	yp-tools-4.2.3-1.el8.x86_64
	ypbind-2.5-2.el8.x86_64
	ypserv-4.0-6.20170331git5bfba76.el8.x86_64
- packages within RHEL-8.0-20181204.0
	libnfsidmap-2.3.3-7.el8.x86_64
	libsss_idmap-2.0.0-23.el8.x86_64
	libtirpc-1.1.4-3.el8.x86_64
	nfs-utils-2.3.3-7.el8.x86_64
	rpcbind-1.2.5-3.el8.x86_64
	yp-tools-4.2.3-1.el8.x86_64
	ypbind-2.5-2.el8.x86_64
	ypserv-4.0-6.20170331git5bfba76.el8.x86_64

That's why I thought it's the testcase problem at first.

But as I can reliably reproduce this issue, please help to check it when available.

Comment 4 Steve Dickson 2019-01-04 16:29:21 UTC
I am not able to reproduce but there was a few things 
I had to do go get it working.

1) added a '+' in /etc/passwd 
2) add 'nis' to the passwd line in /etc/nsswitch.conf
   since it is not there by default anymore.
   
although I do see some errors when Y su to nisuser
I am able to create files:

rhel8# mount -vvv rhel7:/home/nisuser /home/nisuser
mount.nfs: timeout set for Fri Jan  4 11:26:40 2019
mount.nfs: trying text-based options 'vers=4.2,addr=172.31.1.4,clientaddr=172.31.1.24'

rhel8# su nisuser
id: cannot find name for group ID 5000
id: cannot find name for user ID 5000

rhel8# touch /home/nisuser/foobar
rhel8# rm /home/nisuser/foobar

What am I missing?

Comment 5 Yongcheng Yang 2019-01-07 08:26:32 UTC
(In reply to Steve Dickson from comment #4)
Hi Steve,
I can only reproduce this failure on the beaker but I can't reproduce it by hand.

Curiously even on the same machines I still cannot trigger it manually, e.g.
It fails as beaker job: https://beaker.engineering.redhat.com/jobs/3275712
Reserve the machines immediately then tried on the NFS client side:

[09:03:57 root@ ~~]# grep -E "^passwd|^shadow|^group|^hosts" /etc/nsswitch.conf
group:      files nis systemd
hosts:      files nis dns myhostname
passwd:     files nis systemd
shadow:     files nis
[09:03:57 root@ ~~]# cat /etc/yp.conf
domain KVM-01-GUEST08.LAB.ENG.BRQ.REDHAT.COM server kvm-01-guest08.lab.eng.brq.redhat.com
[09:03:57 root@ ~~]# grep ^[^#] /etc/idmapd.conf
[General]
Domain = lab.eng.brq.redhat.com
[Mapping]
[Translation]
 
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
[09:03:58 root@ ~~]# service_rpcidmapd restart
Redirecting to /bin/systemctl restart nfs-idmapd.service
[09:03:58 root@ ~~]# mount -vvv kvm-02-guest17.rhts.eng.brq.redhat.com:/exports/home /mnt/nfs-nis-idmap
mount.nfs: timeout set for Mon Jan  7 09:05:58 2019
mount.nfs: trying text-based options 'vers=4.2,addr=10.37.153.91,clientaddr=10.37.153.136'
[09:03:58 root@ ~~]# mount | grep ${NFS_SERVER}
kvm-02-guest17.rhts.eng.brq.redhat.com:/exports/home on /mnt/nfs-nis-idmap type nfs4 (rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.37.153.136,local_lock=none,addr=10.37.153.91)
[09:03:58 root@ ~~]# ls -l /mnt/${TESTNAME}
total 0
-rw-------. 1 nis5000 nis5000 0 Jan  7 09:03 foo-nfs-nis-idmap
[09:03:58 root@ ~~]# su nis5000 --session-command=" touch /mnt/${TESTNAME}/foo-${TESTNAME}-client "
                    ^^^^^^^^^^^^ failed before in the beaker job
[09:03:59 root@ ~~]# ls -l /mnt/${TESTNAME}
total 0
-rw-------. 1 nis5000 nis5000 0 Jan  7 09:03 foo-nfs-nis-idmap
-rw-------. 1 nis5000 nis5000 0 Jan  7 09:03 foo-nfs-nis-idmap-client
[09:03:59 root@ ~~]# umount /mnt/nfs-nis-idmap
[09:05:59 root@ ~~]# 
[09:05:59 root@ ~~]# grep DISTRO /etc/motd
                           DISTRO=RHEL-8.0-20181204.0
[09:05:59 root@ ~~]# hostname
kvm-01-guest23.lab.eng.brq.redhat.com
[09:05:59 root@ ~~]# 

> I am not able to reproduce but there were a few things 
> I had to do go get it working.
> 
> 1) added a '+' in /etc/passwd 

I don't know what's '+' means here.

> 2) add 'nis' to the passwd line in /etc/nsswitch.conf
>    since it is not there by default anymore.

The 'nis' should have been added successfully by 'authconfig' as the output:
~~~
# nisServ=kvm-01-guest08.lab.eng.brq.redhat.com
# nisDomain=KVM-01-GUEST08.LAB.ENG.BRQ.REDHAT.COM
# authconfig --nostart --updateall --enablenis --nisdomain=$nisDomain --nisserver=$nisServ
Running authconfig compatibility tool.
The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect check
Executing: /usr/bin/authselect select nis --force
Executing: /usr/sbin/setsebool -P allow_ypbind 1
Executing: /usr/bin/systemctl enable rpcbind.service
Executing: /usr/bin/systemctl enable ypbind.service
~~~

Now I tend to believe it's the testcase's issue. Just closing it for now.


Note You need to log in before you can comment on or make changes to this bug.