Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:52848 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752017AbcLGQg4 (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
        Wed, 7 Dec 2016 11:36:56 -0500
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 137CC61E5F
        for <linux-nfs@vger.kernel.org>; Wed,  7 Dec 2016 16:36:56 +0000 (UTC)
From: Scott Mayhew <smayhew@redhat.com>
To: steved@redhat.com
Cc: linux-nfs@vger.kernel.org
Subject: [libnfsidmap RFC PATCH] libnfsidmap: add support for multiple domains
Date: Wed,  7 Dec 2016 11:36:25 -0500
Message-Id: <1481128586-53009-1-git-send-email-smayhew@redhat.com>
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>

Quick disclaimer -- this is different than the multi-domain support
described in RFC 8000.  In the description below I'm really using
'multi-domain' to mean 'multiple AD/IdM domains', rather than multiple
NFSv4 domains.  

NFSv4 id mapping on Linux does not work well in multi-domain
environments.  RFCs 3530, 5661, and 7530 all describe the fattr4_owner
and fattr4_owner_group strings in the form "user@dns_domain".

The Linux libnfsidmap nssswitch plugin currently treats that domain as
an arbitrary string.  As long as the domain part of the incoming string
matches the Domain parameter of the idmapd.conf, the plugin strips off
the domain and does a getpwnam() with what's left over.

When a Linux machine is joined to an environment involving multiple AD
or IdM domains, it is usually necessary for usernames to be qualified
with the domain, either in a user principal format (e.g.
"smayhew@ad.example.com") or a down-level logon name format (e.g.
"AD\smayhew").  

When an environment with just Linux NFS clients and servers, the
machines will all use this format the libnfsimap plugin will
automatically format the username in one of these two forms, because
libnfsidmap is just using the name that is returned from getpwuid()...
so in the above example, if the NFSv4 domain in idmapd.conf is
configured as "example.com", the full fattr4_owner might appear as
"smayhew@ad.example.com@example.com" if the machines are using SSSD, and
"AD\smayhew@example.com" if they're using Winbind.

Non-Linux NFS servers do not do that.

DATA ONTAP maps a uid to a short username and then appends the NFSv4 id
mapping domain to that.  The nsswitch plugin is unable to map those,
because once it strips off the domain it will be unable to resolve the
short username.  It's possible to configure the Linux clients that are
using SSSD to be able to use the short usernames by turning off the
subdomains_provider and explicitly adding stanzas for each trusted
domain in the sssd.conf.  This works as long as each username & uid is
unique across all the trusted domains.  For example if you have
subdomains "na", "emea", and "apac", then it will not work (or rather it
will be unpredictable) if each of those domains has an "smayhew" user...
but otherwise it will work.  But there's no corresponding solution for
Linux clients that are using Winbind... and and solution does not work
for other NFS servers.

The NFS v4.1 server in Microsoft Windows does not appear to allow the
NFSv4 domain to be configured at all.  It just sends the names in UPN
format, so it's essentially treating the AD domain as the NFSv4 domain.
The Windows NFS v4.1 server is therefore capable of working with
multiple domains.  Since the current libnfsidmap nsswitch plugin only
allows a single domain to be configured, it's only able to map users
from that single domain.

EMC Isilon servers are also capable of using multiple domains by
unchecking the "Enable NFSv4 Replace Domain" box on the NFS Zone
Settings in the web UI or via 'isi nfs settings zone modify
--nfsv4-replace-domain no' on the command line.  This causes the Isilon
to send AD/IdM domain instead of the NFSv4 domain value in the
fattr4_owner and fattr4_owner_group strings.  Again, since the current
libnfsidmap plugin only allows a single domain to be configured, it's
only able to users from a single domain.

This patch adds a new plugin called 'multidom' (I'm not attached to the
name and open to suggestions.  Maybe something like 'nostripdomain'
would be better).

What it does is adds another parameter 'Domain-List' to the idmap.conf.
That parameter takes (unsurprisingly) a list of domains, in much the
same way the Local-Realms parameter works.  The value specified in the
Domain parameter does not have to be in the Domain-List.  When the
Domains list is populated, the plugin does a few things:
1. For name-to-id mapping, it compares the domain in the attribute to
the list of domains.  If it's not in the list, it gets mapped to the uid
for nobody.
2. If the domain in the attribute is in the list of domains, then that
attibute is passed as-is to getpwnam() (or getgrnam() if its a group).
IOW the domain is NOT stripped off.
3. For id-to-name mapping, after the getpwuid() (or getgrgid()) call,
the domain in the result is compared to the Domains list... if it's not
in the list, the the id is mapped to the nobody string... even if the
name was otherwise resolved successfully.

With the plugin enabled I'm able to map users from multiple AD/IdM
domains.


ot@rhel6client ~]# cat /etc/idmapd.conf
[General]
Domain = smayhew.local

[Multi-Domain] 
Domain-List = smayhew.local,ad.smayhew.local,lab.smayhew.local

[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = multidom,nsswitch

[root@rhel6client ~]# ls -l /mnt/t
total 10
-rw-rw-r--. 1 amy@lab.smayhew.local       domain users@lab.smayhew.local 29 Sep 26 15:22 written-by-amy
-rw-r--r--. 1 barney@smayhew.local        domain users@smayhew.local     29 Sep 26 15:22 written-by-barney
-rw-rw-r--. 1 bart@ad.smayhew.local       domain users@ad.smayhew.local  29 Sep 26 15:22 written-by-bart
-rw-rw-r--. 1 bender@lab.smayhew.local    domain users@lab.smayhew.local 29 Sep 26 15:22 written-by-bender
-rw-r--r--. 1 betty@smayhew.local         domain users@smayhew.local     29 Sep 26 15:22 written-by-betty
-rw-r--r--. 1 fred@smayhew.local          domain users@smayhew.local     29 Sep 26 15:22 written-by-fred
-rw-rw-r--. 1 fry@lab.smayhew.local       domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-fry
-rw-rw-r--. 1 hermes@lab.smayhew.local    domain users@lab.smayhew.local 29 Sep 26 15:22 written-by-hermes
-rw-rw-r--. 1 homer@ad.smayhew.local      domain users@ad.smayhew.local  29 Sep 26 15:22 written-by-homer
-rw-rw-r--. 1 kif@lab.smayhew.local       domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-kif
-rw-rw-r--. 1 leela@lab.smayhew.local     domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-leela
-rw-rw-r--. 1 lisa@ad.smayhew.local       domain users@ad.smayhew.local  29 Sep 26 15:22 written-by-lisa
-rw-rw-r--. 1 maggie@ad.smayhew.local     domain users@ad.smayhew.local  29 Sep 26 15:22 written-by-maggie
-rw-rw-r--. 1 marge@ad.smayhew.local      domain users@ad.smayhew.local  29 Sep 26 15:22 written-by-marge
-rw-rw-r--. 1 professor@lab.smayhew.local domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-professor
-rw-rw-r--. 1 smayhew@ad.smayhew.local    domain users@ad.smayhew.local  29 Sep 26 15:22 written-by-smayhew
-rw-r--r--. 1 wilma@smayhew.local         domain users@smayhew.local     29 Sep 26 15:22 written-by-wilma
-rw-rw-r--. 1 zapp@lab.smayhew.local      domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-zapp
-rw-rw-r--. 1 zoidberg@lab.smayhew.local  domain users@lab.smayhew.local 29 Sep 26 15:23 written-by-zoidberg

This also works on systems using Winbind instead of SSSD.  The
idmap.conf is the same, with the exception of an additional parameter
'Reformat-Group-For-Winbind-Query = true' in the '[Multi-Domain]'
stanza.

[root@rhel6wbnfs ~]# ls -l /mnt/t
total 10
-rw-rw-r--. 1 LAB\amy        LAB\domain users     29 Sep 26 15:22 written-by-amy
-rw-r--r--. 1 SMAYHEW\barney SMAYHEW\domain users 29 Sep 26 15:22 written-by-barney
-rw-rw-r--. 1 AD\bart        AD\domain users      29 Sep 26 15:22 written-by-bart
-rw-rw-r--. 1 LAB\bender     LAB\domain users     29 Sep 26 15:22 written-by-bender
-rw-r--r--. 1 SMAYHEW\betty  SMAYHEW\domain users 29 Sep 26 15:22 written-by-betty
-rw-r--r--. 1 SMAYHEW\fred   SMAYHEW\domain users 29 Sep 26 15:22 written-by-fred
-rw-rw-r--. 1 LAB\fry        LAB\domain users     29 Sep 26 15:23 written-by-fry
-rw-rw-r--. 1 LAB\hermes     LAB\domain users     29 Sep 26 15:22 written-by-hermes
-rw-rw-r--. 1 AD\homer       AD\domain users      29 Sep 26 15:22 written-by-homer
-rw-rw-r--. 1 LAB\kif        LAB\domain users     29 Sep 26 15:23 written-by-kif
-rw-rw-r--. 1 LAB\leela      LAB\domain users     29 Sep 26 15:23 written-by-leela
-rw-rw-r--. 1 AD\lisa        AD\domain users      29 Sep 26 15:22 written-by-lisa
-rw-rw-r--. 1 AD\maggie      AD\domain users      29 Sep 26 15:22 written-by-maggie
-rw-rw-r--. 1 AD\marge       AD\domain users      29 Sep 26 15:22 written-by-marge
-rw-rw-r--. 1 LAB\professor  LAB\domain users     29 Sep 26 15:23 written-by-professor
-rw-rw-r--. 1 AD\smayhew     AD\domain users      29 Sep 26 15:22 written-by-smayhew
-rw-r--r--. 1 SMAYHEW\wilma  SMAYHEW\domain users 29 Sep 26 15:22 written-by-wilma
-rw-rw-r--. 1 LAB\zapp       LAB\domain users     29 Sep 26 15:23 written-by-zapp
-rw-rw-r--. 1 LAB\zoidberg   LAB\domain users     29 Sep 26 15:23 written-by-zoidberg

-Scott

Scott Mayhew (1):
  libnfsidmap: add support for multiple domains

 Makefile.am   |   5 +-
 idmapd.conf   |  26 +++-
 idmapd.conf.5 |  40 ++++++-
 multidom.c    | 379 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 445 insertions(+), 5 deletions(-)
 create mode 100644 multidom.c

-- 
2.7.4