IDMAP: idmap_getwinnamebyuid() and idmap_getwinnamebygid() fails for empty domains
At the NFS server:
# svcadm enable idmap # mkdir -p /export/dir # share /export # /usr/bin/chmod A+sid:S-1-5-11:full_set:fd:allow /export/dir
At the NFS client:
# mount -o vers=4 SERVER:/export /mnt # /usr/bin/ls -Vd /mnt/dir ls: can't read ACL on /mnt/dir: Not owner drwxr-xr-x 2 root root 2 mar 17 05:53 /mnt/dir #
In a case a sid with non-empty domain is used (e.g. S-1-5-32-544 instead of S-1-5-11), everything works as expected. See the wksids table at http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/idmap/idmapd/wksids.c#81.
The problem is in idmap_getwinnamebypid() implementation. This function is called by both idmap_getwinnamebyuid() and idmap_getwinnamebygid(), and it fails in a case the domain returned by idmap_get_u2w_mapping() is empty (NULL).
Updated by Marcel Telka over 6 years ago
Detailed root cause:
When the NFSv4 server is asked for ACL, it needs to translate all gids/uids found in ACEs to strings (this is needed by the NFSv4 protocol). For such translation nfsmapid is used. In a case the gid/uid is an ephemeral ID, the idmap (via lididmap) is consulted to translate the gid/uid to the string.
In a case the ephemeral ID represents a SID without the domain (for example S-1-5-11), the libidmap fails to translate such ephemeral ID to a string (idmap_getwinnamebyuid() or idmap_getwinnamebygid() fails). Because of this, the NFSv4 is unable to return the ACL.
Updated by Electric Monk over 6 years ago
Author: Marcel Telka <firstname.lastname@example.org> 4689 IDMAP: idmap_getwinnamebyuid() and idmap_getwinnamebygid() fails for empty domains Reviewed by: Yuri Pankov <email@example.com> Reviewed by: Gordon Ross <firstname.lastname@example.org> Reviewed by: Dan McDonald <email@example.com> Approved by: Garrett D'Amore <firstname.lastname@example.org>