From: bfields@fieldses.org (J. Bruce Fields)
To: Scott Mayhew <smayhew@redhat.com>
Cc: steved@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [libnfsidmap RFC PATCH] libnfsidmap: add support for multiple domains
Date: Wed, 14 Dec 2016 09:26:23 -0500 [thread overview]
Message-ID: <20161214142623.GA30113@fieldses.org> (raw)
In-Reply-To: <1481128586-53009-1-git-send-email-smayhew@redhat.com>
On Wed, Dec 07, 2016 at 11:36:25AM -0500, Scott Mayhew wrote:
> Quick disclaimer -- this is different than the multi-domain support
> described in RFC 8000. In the description below I'm really using
> 'multi-domain' to mean 'multiple AD/IdM domains', rather than multiple
> NFSv4 domains.
>
> NFSv4 id mapping on Linux does not work well in multi-domain
> environments. RFCs 3530, 5661, and 7530 all describe the fattr4_owner
> and fattr4_owner_group strings in the form "user@dns_domain".
>
> The Linux libnfsidmap nssswitch plugin currently treats that domain as
> an arbitrary string. As long as the domain part of the incoming string
> matches the Domain parameter of the idmapd.conf, the plugin strips off
> the domain and does a getpwnam() with what's left over.
>
> When a Linux machine is joined to an environment involving multiple AD
> or IdM domains, it is usually necessary for usernames to be qualified
> with the domain, either in a user principal format (e.g.
> "smayhew@ad.example.com") or a down-level logon name format (e.g.
> "AD\smayhew").
>
> When an environment with just Linux NFS clients and servers, the
> machines will all use this format the libnfsimap plugin will
> automatically format the username in one of these two forms, because
> libnfsidmap is just using the name that is returned from getpwuid()...
> so in the above example, if the NFSv4 domain in idmapd.conf is
> configured as "example.com", the full fattr4_owner might appear as
> "smayhew@ad.example.com@example.com" if the machines are using SSSD, and
> "AD\smayhew@example.com" if they're using Winbind.
>
> Non-Linux NFS servers do not do that.
>
> DATA ONTAP maps a uid to a short username and then appends the NFSv4 id
> mapping domain to that. The nsswitch plugin is unable to map those,
> because once it strips off the domain it will be unable to resolve the
> short username. It's possible to configure the Linux clients that are
> using SSSD to be able to use the short usernames by turning off the
> subdomains_provider and explicitly adding stanzas for each trusted
> domain in the sssd.conf. This works as long as each username & uid is
> unique across all the trusted domains. For example if you have
> subdomains "na", "emea", and "apac", then it will not work (or rather it
> will be unpredictable) if each of those domains has an "smayhew" user...
> but otherwise it will work. But there's no corresponding solution for
> Linux clients that are using Winbind... and and solution does not work
> for other NFS servers.
>
> The NFS v4.1 server in Microsoft Windows does not appear to allow the
> NFSv4 domain to be configured at all. It just sends the names in UPN
> format, so it's essentially treating the AD domain as the NFSv4 domain.
> The Windows NFS v4.1 server is therefore capable of working with
> multiple domains. Since the current libnfsidmap nsswitch plugin only
> allows a single domain to be configured, it's only able to map users
> from that single domain.
>
> EMC Isilon servers are also capable of using multiple domains by
> unchecking the "Enable NFSv4 Replace Domain" box on the NFS Zone
> Settings in the web UI or via 'isi nfs settings zone modify
> --nfsv4-replace-domain no' on the command line. This causes the Isilon
> to send AD/IdM domain instead of the NFSv4 domain value in the
> fattr4_owner and fattr4_owner_group strings. Again, since the current
> libnfsidmap plugin only allows a single domain to be configured, it's
> only able to users from a single domain.
>
> This patch adds a new plugin called 'multidom' (I'm not attached to the
> name and open to suggestions. Maybe something like 'nostripdomain'
> would be better).
>
> What it does is adds another parameter 'Domain-List' to the idmap.conf.
> That parameter takes (unsurprisingly) a list of domains, in much the
> same way the Local-Realms parameter works. The value specified in the
> Domain parameter does not have to be in the Domain-List. When the
> Domains list is populated, the plugin does a few things:
> 1. For name-to-id mapping, it compares the domain in the attribute to
> the list of domains. If it's not in the list, it gets mapped to the uid
> for nobody.
> 2. If the domain in the attribute is in the list of domains, then that
> attibute is passed as-is to getpwnam() (or getgrnam() if its a group).
> IOW the domain is NOT stripped off.
> 3. For id-to-name mapping, after the getpwuid() (or getgrgid()) call,
> the domain in the result is compared to the Domains list... if it's not
> in the list, the the id is mapped to the nobody string... even if the
> name was otherwise resolved successfully.
Dumb questions:
- Do we even need the list, or can we leave that decision to
whatever's really mapping the names? If the admin already set
up things to map @some-weird-domain then why do we need them
to whitelist that domain again here?
- should something like this method be the default? Or is there
a way we can auto-detect this kind of setup?
In general idmapper configuration has been a bit of an annoyance and
anything we can do to help more admins ignore it is good.
Anyway, seems like a major improvement, thanks for doing this.
--b.
>
> With the plugin enabled I'm able to map users from multiple AD/IdM
> domains.
>
>
> ot@rhel6client ~]# cat /etc/idmapd.conf
> [General]
> Domain = smayhew.local
>
> [Multi-Domain]
> Domain-List = smayhew.local,ad.smayhew.local,lab.smayhew.local
>
> [Mapping]
> Nobody-User = nobody
> Nobody-Group = nobody
>
> [Translation]
> Method = multidom,nsswitch
>
> [root@rhel6client ~]# ls -l /mnt/t
> total 10
> -rw-rw-r--. 1 amy@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:22 written-by-amy
> -rw-r--r--. 1 barney@smayhew.local domain users@smayhew.local 29 Sep 26 15:22 written-by-barney
> -rw-rw-r--. 1 bart@ad.smayhew.local domain users@ad.smayhew.local 29 Sep 26 15:22 written-by-bart
> -rw-rw-r--. 1 bender@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:22 written-by-bender
> -rw-r--r--. 1 betty@smayhew.local domain users@smayhew.local 29 Sep 26 15:22 written-by-betty
> -rw-r--r--. 1 fred@smayhew.local domain users@smayhew.local 29 Sep 26 15:22 written-by-fred
> -rw-rw-r--. 1 fry@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-fry
> -rw-rw-r--. 1 hermes@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:22 written-by-hermes
> -rw-rw-r--. 1 homer@ad.smayhew.local domain users@ad.smayhew.local 29 Sep 26 15:22 written-by-homer
> -rw-rw-r--. 1 kif@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-kif
> -rw-rw-r--. 1 leela@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-leela
> -rw-rw-r--. 1 lisa@ad.smayhew.local domain users@ad.smayhew.local 29 Sep 26 15:22 written-by-lisa
> -rw-rw-r--. 1 maggie@ad.smayhew.local domain users@ad.smayhew.local 29 Sep 26 15:22 written-by-maggie
> -rw-rw-r--. 1 marge@ad.smayhew.local domain users@ad.smayhew.local 29 Sep 26 15:22 written-by-marge
> -rw-rw-r--. 1 professor@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-professor
> -rw-rw-r--. 1 smayhew@ad.smayhew.local domain users@ad.smayhew.local 29 Sep 26 15:22 written-by-smayhew
> -rw-r--r--. 1 wilma@smayhew.local domain users@smayhew.local 29 Sep 26 15:22 written-by-wilma
> -rw-rw-r--. 1 zapp@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-zapp
> -rw-rw-r--. 1 zoidberg@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-zoidberg
>
> This also works on systems using Winbind instead of SSSD. The
> idmap.conf is the same, with the exception of an additional parameter
> 'Reformat-Group-For-Winbind-Query = true' in the '[Multi-Domain]'
> stanza.
>
> [root@rhel6wbnfs ~]# ls -l /mnt/t
> total 10
> -rw-rw-r--. 1 LAB\amy LAB\domain users 29 Sep 26 15:22 written-by-amy
> -rw-r--r--. 1 SMAYHEW\barney SMAYHEW\domain users 29 Sep 26 15:22 written-by-barney
> -rw-rw-r--. 1 AD\bart AD\domain users 29 Sep 26 15:22 written-by-bart
> -rw-rw-r--. 1 LAB\bender LAB\domain users 29 Sep 26 15:22 written-by-bender
> -rw-r--r--. 1 SMAYHEW\betty SMAYHEW\domain users 29 Sep 26 15:22 written-by-betty
> -rw-r--r--. 1 SMAYHEW\fred SMAYHEW\domain users 29 Sep 26 15:22 written-by-fred
> -rw-rw-r--. 1 LAB\fry LAB\domain users 29 Sep 26 15:23 written-by-fry
> -rw-rw-r--. 1 LAB\hermes LAB\domain users 29 Sep 26 15:22 written-by-hermes
> -rw-rw-r--. 1 AD\homer AD\domain users 29 Sep 26 15:22 written-by-homer
> -rw-rw-r--. 1 LAB\kif LAB\domain users 29 Sep 26 15:23 written-by-kif
> -rw-rw-r--. 1 LAB\leela LAB\domain users 29 Sep 26 15:23 written-by-leela
> -rw-rw-r--. 1 AD\lisa AD\domain users 29 Sep 26 15:22 written-by-lisa
> -rw-rw-r--. 1 AD\maggie AD\domain users 29 Sep 26 15:22 written-by-maggie
> -rw-rw-r--. 1 AD\marge AD\domain users 29 Sep 26 15:22 written-by-marge
> -rw-rw-r--. 1 LAB\professor LAB\domain users 29 Sep 26 15:23 written-by-professor
> -rw-rw-r--. 1 AD\smayhew AD\domain users 29 Sep 26 15:22 written-by-smayhew
> -rw-r--r--. 1 SMAYHEW\wilma SMAYHEW\domain users 29 Sep 26 15:22 written-by-wilma
> -rw-rw-r--. 1 LAB\zapp LAB\domain users 29 Sep 26 15:23 written-by-zapp
> -rw-rw-r--. 1 LAB\zoidberg LAB\domain users 29 Sep 26 15:23 written-by-zoidberg
>
> -Scott
>
> Scott Mayhew (1):
> libnfsidmap: add support for multiple domains
>
> Makefile.am | 5 +-
> idmapd.conf | 26 +++-
> idmapd.conf.5 | 40 ++++++-
> multidom.c | 379 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 445 insertions(+), 5 deletions(-)
> create mode 100644 multidom.c
>
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-12-14 14:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-07 16:36 [libnfsidmap RFC PATCH] libnfsidmap: add support for multiple domains Scott Mayhew
2016-12-07 16:36 ` Scott Mayhew
2016-12-14 14:26 ` J. Bruce Fields [this message]
2016-12-15 19:27 ` Scott Mayhew
2016-12-15 20:07 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161214142623.GA30113@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=smayhew@redhat.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).