Project

General

Profile

Bug #4689

IDMAP: idmap_getwinnamebyuid() and idmap_getwinnamebygid() fails for empty domains

Added by Marcel Telka over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
lib - userland libraries
Start date:
2014-03-17
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

At the NFS server:

# svcadm enable idmap
# mkdir -p /export/dir
# share /export
# /usr/bin/chmod A+sid:S-1-5-11:full_set:fd:allow /export/dir

At the NFS client:

# mount -o vers=4 SERVER:/export /mnt
# /usr/bin/ls -Vd /mnt/dir
ls: can't read ACL on /mnt/dir: Not owner
drwxr-xr-x   2 root     root           2 mar 17 05:53 /mnt/dir
#

In a case a sid with non-empty domain is used (e.g. S-1-5-32-544 instead of S-1-5-11), everything works as expected. See the wksids table at http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/idmap/idmapd/wksids.c#81.

The problem is in idmap_getwinnamebypid() implementation. This function is called by both idmap_getwinnamebyuid() and idmap_getwinnamebygid(), and it fails in a case the domain returned by idmap_get_u2w_mapping() is empty (NULL).

History

#1

Updated by Marcel Telka over 5 years ago

Detailed root cause:

When the NFSv4 server is asked for ACL, it needs to translate all gids/uids found in ACEs to strings (this is needed by the NFSv4 protocol). For such translation nfsmapid is used. In a case the gid/uid is an ephemeral ID, the idmap (via lididmap) is consulted to translate the gid/uid to the string.

In a case the ephemeral ID represents a SID without the domain (for example S-1-5-11), the libidmap fails to translate such ephemeral ID to a string (idmap_getwinnamebyuid() or idmap_getwinnamebygid() fails). Because of this, the NFSv4 is unable to return the ACL.

#2

Updated by Marcel Telka over 5 years ago

  • Status changed from In Progress to Pending RTI
#3

Updated by Electric Monk over 5 years ago

git commit 8ce3a03883b8748c139aa8c412b64dcc7aaee1a1

Author: Marcel Telka <marcel.telka@nexenta.com>

4689 IDMAP: idmap_getwinnamebyuid() and idmap_getwinnamebygid() fails for empty domains
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Approved by: Garrett D'Amore <garrett@damore.org>

#4

Updated by Marcel Telka over 5 years ago

  • Status changed from Pending RTI to Resolved

Also available in: Atom PDF