kernel-packages team mailing list archive

Thread
Date
[Bug 1124250] Re: Partially incorrect uid mapping with nfs4/idmapd/ldap-auth

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Dave Chiluk <1124250@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Sep 2014 20:11:22 -0000
Reply-to: Bug 1124250 <1124250@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
The ubuntu kernel uses the same values as the upstream kernel in regards
to these values.  They are tunable for exactly this kind of case.

I brought this case up with the Ubuntu Kernel team, and unfortunately
due to the fact that this could potentially be used in a memory-
exhaustion, denial of service type attack we will not be changing from
the default values.  That being said if the mainline kernel decides to
change the defaults we would definitely consider following mainline.
For most machines raising these default values isn't an issue.  However
since Ubuntu is so prevalent in virtualized environments where memory is
more restricted we will not be changing these values.

If you feel strongly that these values need to be changed please pursue
with the mainline linux maintainers.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1124250

Title:
  Partially incorrect uid mapping with nfs4/idmapd/ldap-auth

Status in “linux” package in Ubuntu:
  Confirmed
Status in “nfs-utils” package in Ubuntu:
  Confirmed
Status in “linux” source package in Trusty:
  Won't Fix
Status in “nfs-utils” source package in Trusty:
  New
Status in “linux” source package in Utopic:
  Won't Fix
Status in “nfs-utils” source package in Utopic:
  Confirmed
Status in “nfs-utils” package in Debian:
  Incomplete
Status in Fedora:
  Unknown

Bug description:
  I'm running a nfs4 server exporting a directory /home (ext4,usrquota). This server is running Ubuntu 12.04 amd64(up-to-date). This directory is handling 662 homedirs for ldap authenticated users.
  /etc/exports is :
  /exports  192.168.0.0/24(rw,fsid=0,no_subtree_check)

  Important lines in /etc/idmapd.conf :
  domain=my-domain.org

  [Translation]
  Method=nsswitch.

  In /etc/default/nfs-common :
  NEED_IDMAPD=yes

  In /etc/default/nfs-kernel-server :
  RPCNFSDCOUNT=75
  RPCMOUNTDOPTS=--manage-gids

  2 Clients (rhel6 x86 & Ubuntu 12.04.2 i686) are mounting this nfs4 exported directory with no problems :
  When doing ls -l /home on this clients, I have :
  ...
  drwx------   4 user100 oldusers     4096 sept. 21  2011 user100
  drwx------   4 user101 oldusers     4096 sept. 21  2011 user101
  drwx------  37 user102 oldusers     4096 oct.   1 19:06 user102
  drwx------  36 user103 users        4096 fÃ©vr. 5 21:08 user103
  drwx------  36 user104 users        4096 fÃ©vr. 8 14:03 user104
  drwx------  30 user105 users        4096 fÃ©vr. 4 18:01 user105
  drwx------  28 user106 oldusers     4096 oct.   5  2011 user106
  drwx------  37 user107 oldusers     4096 janv.  8 14:52 user107
  drwx------  31 user108 users        4096 dÃ©c.  4 11:52 user108
  drwx------   4 user109 oldusers     4096 sept. 21  2011 user109
  drwx--x--x  45 user110 oldusers     4096 janv. 22 15:53 user109
  drwx------  31 user111 users        4096 janv. 29 12:03 user110
  ...
  uid/gid mapping works fine, authldap works fine, ...

  All Clients running Ubuntu 12.10 i686  or  Ubuntu 12.10 amd64 are experiencing the same problem :
  The config files are the same that used in ubuntu 12.04.
  Auth ldap is correctly configured, user can log in.

  This is the /etc/fstab entry for /home :
  192.168.0.1:/     /home     nfs      rw,nfsvers=4     0  0

  Important lines in /etc/idmapd.conf :
  domain=my-domain.org
  [Translation]
  Method=nsswitch

  In /etc/default/nfs-common :
  NEED_IDMAPD=yes

  /etc/nsswitch.conf is :
  passwd: files ldap
  group: files ldap
  shadow: files ldap

  When doing ls -l /home there is a strange problem :

  drwx------   4 4294967294 oldusers     4096 sept. 21  2011 user100
  drwx------   4 user101    oldusers     4096 sept. 21  2011 user101
  drwx------  37 user102    oldusers     4096 oct.   1 19:06 user102
  drwx------  36 4294967294 users        4096 fÃ©vr. 5 21:08 user103
  drwx------  36 4294967294 users        4096 fÃ©vr. 8 14:03 user104
  drwx------  30 4294967294 users        4096 fÃ©vr. 4 18:01 user105
  drwx------  28 4294967294 oldusers     4096 oct.   5  2011 user106
  drwx------  37 4294967294 oldusers     4096 janv.  8 14:52 user107
  drwx------  31 4294967294 users        4096 dÃ©c.  4 11:52 user108
  drwx------   4 user109    oldusers     4096 sept. 21  2011 user109
  drwx--x--x  45 4294967294 oldusers     4096 janv. 22 15:53 user110
  drwx------  31 4294967294 users        4096 janv. 29 12:03 user111

  for  571 homedirs (this number varies at each reboot)/662, the owner is the value 4294967294. For the  91 remaining homedirs,
  the owner is correct. The gidnumber is correctly mapped for all (only  5 differents values used for gidNumber).

  In /var/log/syslog, I can see :

  For example : user110 is mapped as 4294967294.
  but the command "id user110" returns :
  uid=31124(user110) gid=666(oldusers) groupes=666(oldusers)

  user110 logs in (auth ldap) from tty1. He runs "ls -l /home/user110/"
  :

  drwxr-xr-x 8 4294967294 oldusers 4096 janv. 19  2012 Bureau
  drwxr-xr-x 3 4294967294 oldusers 4096 dÃ©c.   2  2011 Documents
  drwxr-xr-x 2 4294967294 oldusers 4096 dÃ©c.   2  2011 Images

  Then, he runs "touch /home/user110/test" :

  drwxr-xr-x 8 4294967294 oldusers 4096 janv. 19  2012 Bureau
  drwxr-xr-x 3 4294967294 oldusers 4096 dÃ©c.   2  2011 Documents
  drwxr-xr-x 2 4294967294 oldusers 4096 dÃ©c.   2  2011 Images
  drwxr-xr-x 2 4294967294 oldusers    0 fÃ©vr. 13 16:01 test

  On the nfs server, If i do a ls -l in the same directory  :

  drwxr-xr-x 8 user110 oldusers 4096 janv.  19  2012 Bureau
  drwxr-xr-x 3 user110 oldusers 4096 dÃ©c.   2  2011 Documents
  drwxr-xr-x 2 user110 oldusers 4096 dÃ©c.   2  2011 Images
  drwxr-xr-x 2 user110 oldusers    0 fÃ©vr. 13 16:01 test

  I can see that the "test" file is owned by the correct user.

  I've tried without & with nscd, same results.
  I've tried using sssd, libnss-sss & pam_sss for ldap auth and having exactly the same results :

  In /var/log/syslog, I have :
  ...
  rpc.idmapd[561]: nss_getpwnam: name 'user109@xxxxxxxxxxxxx' domain 'my-domain.org': resulting localname 'user109'
  rpc.idmapd[561]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
  rpc.idmapd[561]: nfs4_name_to_uid: final return value is 0
  rpc.idmapd[561]: Client 0: (user) name "user109@xxxxxxxxxxxxx" -> id "55101"
  rpc.idmapd[561]: nfs4_name_to_uid: calling nsswitch->name_to_uid
  rpc.idmapd[561]: nss_getpwnam: name 'user102@xxxxxxxxxxxxx' domain 'my-domain.org': resulting localname 'user102'
  rpc.idmapd[561]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
  rpc.idmapd[561]: nfs4_name_to_uid: final return value is 0
  rpc.idmapd[561]: Client 0: (user) name "user102@xxxxxxxxxxxxx" -> id "55199"
  ...
  only for the correctly mapped entries. No warnings or errors (rate limit disabled in rsyslog.conf) and verbosity set to 5 in idmapd.conf. It seems that rpc.idmapd never does mapping for other entries.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1124250/+subscriptions