View Issue Details

IDProjectCategoryView StatusLast Update
0015912CentOS-7nfs-utilspublic2019-03-13 13:31
Reportermabarkdoll 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0015912: Kerberos NFSv4 client files owned by nobody 4294967294 nfsidmap issue
DescriptionEnv: Centos 7 NFS Server, CentOS 7 NFS Client both joined to Active Directory with realmd and sssd work properly with an nfsv4 share.

However, my Debian and Ubuntu nfs clients are showing files owned by nobody and group 4294967294.

On the Debian client i see the following in /var/log/syslog:
$ cat /var/log/syslog |grep nfsidmap
Mar 8 16:38:34 ubuntuclient nfsidmap[24736]: key: 0x24a1c64d type: uid value: userY@xx.xx.edu@XX.XX.EDU timeout 600
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' domain 'XX.XX.EDU': resulting localname '(null)'
Mar 8 16:38:34 client nfsidmap[24736]: nss_getpwnam: name 'userX@xx.xx.edu@XX.XX.EDU' does not map into domain 'XX.XX.EDU'
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: final return value is -22
Mar 8 16:38:34 client nfsidmap[24736]: nfs4_name_to_uid: calling nsswitch->name_to_uid

I've been trying to figure out the issue with the user not mapping into a domain. The best I could find was a bugzilla report in redhat about nss_getpwnam:
https://bugzilla.redhat.com/show_bug.cgi?id=1491030
https://pagure.io/SSSD/sssd/issue/3535

Somehow I think these are related, but I'm not certain. I don't know how they did their My issue is that on a debian/ubuntu client the nfs server chown test.

For clarity:
uid and gid appear to not map properly from nfsidmap in a nfsv4 with sec=krb5 from debian based client to centos server. UID and GID are mapping properly on CentOS server and CentOS client. Ubuntu nfs client file permissions are honored, but display in `ls -lan` command are incorrect.
Steps To Reproduce1. Join the same active directory realmd on a centos 7 nfs server.
2. Join the same active diretory realmd on debian/ubuntu nfs client.

3. On the client mount the server's kerbero nfs share.
$
$ mount -v -t nfs4 -o sec=krb5 SP19SRV.XX.XX.EDU:/export /mnt
$ su userX
$ ls -la /mnt
total 4
drwxr-xr-x 5 nobody 4294967294 50 Feb 28 18:04 .
drwxr-xr-x 24 root root 4096 Mar 7 22:34 ..
drwxr-xr-x 2 nobody 4294967294 125 Mar 8 16:27 userX
$

Additional Information$ cat /etc/idmapd.conf

[General]

Verbosity = 9
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
Domain = XX.XXX.EDU

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

---
$ cat /etc/default/nfs-common
STATDOPTS=
NEED_GSSD="yes"
NEED_IDMAPD="yes"
# I've tried commenting out NEED_IDMAPD as well.
# I manually created the following file with ktutil to just have nfs lines.
RPCGSSDARGS="-k /etc/nfs.keytab"
# I've tried with and without the above line (this was shown from redhat documentaiton)
---
[sssd]
domains = xx.xx.edu
config_file_version = 2
services = nss, pam
default_domain_suffix = XX.XX.EDU

[domain/xx.xx.edu]
ad_domain = xx.xx.edu
krb5_realm = XX.XX.EDU
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
# Use the following for campus-wide linux machines
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

#subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
#ignore_group_members = True
#ldap_purge_cache_timeout = 0
#re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))


TagsNo tags attached.
abrt_hash
URL

Activities

mabarkdoll

mabarkdoll

2019-03-13 13:23

reporter   ~0033993

This ended up being an issue with libnfsidmap2 package on the debian based machines not having v0.26. This bug can be closed.
tigalch

tigalch

2019-03-13 13:31

manager   ~0033994

Closing per reporters feedback

Issue History

Date Modified Username Field Change
2019-03-11 19:48 mabarkdoll New Issue
2019-03-13 13:23 mabarkdoll Note Added: 0033993
2019-03-13 13:31 tigalch Status new => closed
2019-03-13 13:31 tigalch Resolution open => no change required
2019-03-13 13:31 tigalch Note Added: 0033994