Wrong user mapping in kerberized NFSv4 automounted homedirs

Question

Short problem description

This question is about id mapping in NFSv4 going wrong.

NFS server: a Synology DS, with DSM 5.2.

Client: A regular FC22 machine, which automounts as /home one of the exported folders from above.

Both machines are enrolled clients of a freeIPA domain, therefore using the freeIPA server as DNS and LDAP server.

When an LDAP user logs in the client, it finds the mounted folder. So the mount works. However, the ownerships of the files is mapped as nobody:nobody. I know this "nobody issue" is not new, but none of the solutions I found so far solves the issue.

LDAP user login and file touch

$ ssh ldapuser1@client1
ldapuser1@client1's password: 

-bash-4.3$ id
uid=1172000004(ldapuser1) gid=1172000004(ldapuser1) groups=1172000004(ldapuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

ldapuser1 can log in correctly and has uid 1172000004.

-bash-4.3$ pwd
/home/ldapuser1

-bash-4.3$ ls -lan
total 8
drwxrwxrwx. 2 1172000004 1172000004 4096 18 aug 17:34 .
drwxr-xr-x. 3          0          0    0 18 aug 18:33 ..

The LDAP user lands correctly in its home directory, precedently created and assigned to him. But any new file gets the wrong ownership:

-bash-4.3$ touch a

-bash-4.3$ ls -lan
total 8
drwxrwxrwx. 2 1172000004 1172000004 4096 18 aug 18:41 .
drwxr-xr-x. 3          0          0    0 18 aug 18:33 ..
-rwxrwxrwx. 1         99        100    0 18 aug 18:42 a

Note that 99:100 is guest:users on the server. The file idmapd.conf on the server tells to map nobody:nobody to guest:users.

Server configuration

$ exportfs -v   
/volume1/shared_homes xxx.xxx.0.0/24(rw,async,no_root_squash,no_subtree_check,insecure_locks,anonuid=1025,anongid=100,sec=krb5,rw,no_root_squash,no_all_squash)


$ klist -k /etc/nfs/krb5.keytab 
Keytab name: FILE:/etc/nfs/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 nfs/nfs-server.hq.example.com@HQ.EXAMPLE.COM
   5 nfs/nfs-server.hq.example.com@HQ.EXAMPLE.COM
   5 nfs/nfs-server.hq.example.com@HQ.EXAMPLE.COM
   5 nfs/nfs-server.hq.example.com@HQ.EXAMPLE.COM

$ cat /etc/idmapd.conf 
[General]
Domain=hq.example.com
Verbosity=10
[Mapping]
Nobody-User=guest
Nobody-Group=users
[Translation]
Method=nsswitch
GSS-Methods=static,synomap
[Static]

$ cat /etc/nsswitch.conf
passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind
osts:      files dns wins
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files

Client configuration

$ automount -s
Mount point: /home
source(s):
  instance type(s): sss 
  map: auto.home
  * | -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 nfs-server.hq.example.com:/volume1/shared_homes/&

$ df
nfs-server.hq.example.com:/volume1/shared_homes/ldapuser1 11609721368 2208608120 9400994464  20% /home/ldapuser1

$ cat /etc/idmapd.conf
[General]
Domain=hq.example.com


$ cat /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus
sudoers: files sss

$ cat /etc/sysconfig/nfs | egrep -v "^#"
RPCNFSDARGS=""
RPCMOUNTDOPTS=""
STATDARG=""
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
RPCGSSDARGS="-vvv"
GSS_USE_PROXY="yes"
RPCSVCGSSDARGS="-vvv"
BLKMAPDARGS=""
SECURE_NFS=yes

LOGS Server

Aug 18 18:50:59 nfs-server idmapd[14622]: nfsdcb: authbuf=gss/krb5 authtype=user
Aug 18 18:50:59 nfs-server idmapd[14622]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Aug 18 18:50:59 nfs-server idmapd[14622]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Aug 18 18:50:59 nfs-server idmapd[14622]: nfs4_uid_to_name: final return value is 0
Aug 18 18:50:59 nfs-server idmapd[14622]: Server : (user) id "1173000004" -> name "ldapuser1@hq.example.com"
Aug 18 18:50:59 nfs-server idmapd[14622]: nfsdcb: authbuf=gss/krb5 authtype=group
Aug 18 18:50:59 nfs-server idmapd[14622]: nfs4_gid_to_name: calling nsswitch->gid_to_name
Aug 18 18:51:00 nfs-server idmapd[14622]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
Aug 18 18:51:00 nfs-server idmapd[14622]: nfs4_gid_to_name: final return value is 0
Aug 18 18:51:00 nfs-server idmapd[14622]: Server : (group) id "1173000004" -> name "ldapuser1@hq.example.com"

Note that mappings seem to be requested for the correct user/domain. In the log, however, I also found many reference to mappings of root@hq.example.com and guest@hq.example.com.

LOGS Client

aug 18 18:50:59 client1.hq.example.com nfsidmap[2118]: key: 0x274d13a5 type: uid value: ldapuser1@hq.example.com timeout 600
aug 18 18:50:59 client1.hq.example.com nfsidmap[2118]: nfs4_name_to_uid: calling nsswitch->name_to_uid
aug 18 18:50:59 client1.hq.example.com nfsidmap[2118]: nss_getpwnam: name 'ldapuser1@hq.example.com' domain 'hq.example.com': resulting localname 'ldapuser1'
aug 18 18:50:59 client1.hq.example.com nfsidmap[2118]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
aug 18 18:50:59 client1.hq.example.com nfsidmap[2118]: nfs4_name_to_uid: final return value is 0
aug 18 18:50:59 client1.hq.example.com nfsidmap[2120]: key: 0x3e28949 type: gid value: ldapuser1@hq.example.com timeout 600
aug 18 18:50:59 client1.hq.example.com nfsidmap[2120]: nfs4_name_to_gid: calling nsswitch->name_to_gid
aug 18 18:50:59 client1.hq.example.com nfsidmap[2120]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
aug 18 18:50:59 client1.hq.example.com nfsidmap[2120]: nfs4_name_to_gid: final return value is 0

Remarks and questions

The most common cause of wrong mapping in these cases seems to be the missing or not consistent Domain setting in idmapd.conf at both sides. Here it is correctly set at both sides
It works if I use static mappings, that is 1) create local ldapuser1 on the server 2) add an entry under [Static] in idmapd.conf, which says ldapuser1@HQ.EXAMPLE.COM=ldapuser1. However, this is not the goal.
The Synology server is obviously not Fedora/RedHat, so it's not the perfect freeIPA companion. In particular, it misses SSSD. Still, I think it should work.

I am completely stuck at this point. I am not even sure where to ask for help. Synology support claims that this should work. According to freeIPA developers this is even off-topic because not freeIPA specific but "just" NFS & co issues. This is debatable, as the way all these technologies are connected and used is freeIPA specific.

In any case, I don't know anymore what to look at. That's why I ask here hoping that someone can make me do at least some more step forward. Any guess is more than welcome!

score 1 · Accepted Answer · answered Aug 21 '15 at 15:55

After a session with Synology support, I finally understood that this cannot work at the moment, due to a limitation on DSM 5.2.

The problem is that DSM assumes the LDAP server to use the UMich schema, which is NFS-specific, therefore looking for attribute GSSAuthName when a GSS request comes in. Instead, FreeIpa stores Kerberos principals in LDAP, and for each Kerberos principal there is always krbPrincipalName attribute available.

Not finding GSSAuthName, DSM maps every request to nobody.

I have made a feature request to Synology to use SSSD to handle id mapping properly.

Until then, I resorted to sec=sys. Note: make sure "Enable UID/GID shifting" ni Synology LDAP configuration is unchecked!