Ubuntu
libnfsidmap package

Merge ~ahasenack/ubuntu/+source/libnfsidmap:disco-uid-map-krb5-1819197 into ubuntu/+source/libnfsidmap:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/libnfsidmap
  3. disco-uid-map-krb5-1819197
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 32b7e120e9265f68e992a9df83130f50b41bbcbf
Merged at revision: 32b7e120e9265f68e992a9df83130f50b41bbcbf
Proposed branch: ~ahasenack/ubuntu/+source/libnfsidmap:disco-uid-map-krb5-1819197
Merge into: ubuntu/+source/libnfsidmap:ubuntu/devel
Diff against target: 73 lines (+40/-1)
4 files modified
debian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/03-uid-map-krb5.patch (+30/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Core Reviewers Pending
Review via email: mp+364954@code.launchpad.net

Description of the change

[copied from the bionic MP]

This fixes a very old bug, reported multiple times in both debian[1] and ubuntu[2].

Testing it might be a bit complicated, I just so happened to have a kerberos + nfsv4 setup at home already, I'll think of an easy way to set something up when the SRU time comes.

There have been two versions of the fix floating around across all these bugs. Compounded with that, there doesn't seem to be an official upstream anymore.

Patch 1[3], which is what I used here, fixes nss.c:strip_domain() to look for the last "@" sign in the username, and strip that off, instead of the first. This is what fixes the case when a username already has an "@" sign, which is the default in sssd. A package from my PPA[4] with this patch was tested by the bug reporter, and confirmed working.

The second patch[5] has that hunk, plus another one to fix nss.c:nss_gss_princ_to_ids() in a similar manner:

- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');

It's not clear to me when that function is used. I would have to understand that to check what kind of (incorrect) values could be given to the "princ" variable. If it's really just given a principal (which is of the form user@REALM), then both strstr() and strrchr() would yield the same result. One could argue that it wouldn't hurt to always return the last "@" occurrance (and not the first), though.

The most up-do-date release I found for libnfsidmap2 is 0.27[6], and that seems to be a self-appointed version done by Redhat. Citi, which is the site mentioned in d/control, still has only 0.25[7]

0.27 does NOT contain the second fix, just the first.

I emailed Steve D. (from that fedorapeople site 0.27 release) asking who is upstream now, he said he doesn't think there is one.

I would need a lot more investigation to understand when the second patch is needed. So given:
- 0.27 does not contain the second fix
- I found no other reference to the second fix "in the wild", just in these bug reports, and no follow-up confirmation about what is fixed (I specifically asked in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581199#25)
- the first patch fixes the reported problem scenario
- beta freeze is looming

I'm inclined to upload just with the first patch hunk, and later update it if needed.

1. http://bugs.debian.org/744768, http://bugs.debian.org/581199, http://bugs.debian.org/924425
2. https://bugs.launchpad.net/bugs/1819197, https://bugs.launchpad.net/bugs/1728310, https://bugs.launchpad.net/bugs/584942
3. https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=581199;filename=libnfsidmap_0.20-1_fix_at_sign_user_with_domain.diff;msg=5
4. https://launchpad.net/~ahasenack/+archive/ubuntu/libnfsidmap-krb5-1819197
5. https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=581199;filename=libnfsidmap_0.25-5ubuntu1.debdiff;msg=15
6. https://fedorapeople.org/~steved/libnfsidmap/
7. http://www.citi.umich.edu/projects/nfsv4/linux/

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for preparing a Disco MP - this LGTM now.
Content is the same as already reviewed - Version number is ok for this upload.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, tagged and uploaded:

$ git push pkg upload/0.25-5.1ubuntu1
Enumerating objects: 21, done.
Counting objects: 100% (21/21), done.
Delta compression using up to 4 threads
Compressing objects: 100% (15/15), done.
Writing objects: 100% (15/15), 2.27 KiB | 580.00 KiB/s, done.
Total 15 (delta 8), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/libnfsidmap
 * [new tag] upload/0.25-5.1ubuntu1 -> upload/0.25-5.1ubuntu1

$ dput ubuntu ../libnfsidmap_0.25-5.1ubuntu1_source.changes
Checking signature on .changes
gpg: ../libnfsidmap_0.25-5.1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../libnfsidmap_0.25-5.1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading libnfsidmap_0.25-5.1ubuntu1.dsc: done.
  Uploading libnfsidmap_0.25-5.1ubuntu1.debian.tar.xz: done.
  Uploading libnfsidmap_0.25-5.1ubuntu1_source.buildinfo: done.
  Uploading libnfsidmap_0.25-5.1ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 07f91f1..0ed59a1 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libnfsidmap (0.25-5.1ubuntu1) disco; urgency=medium
7+
8+ * d/p/03-uid-map-krb5.patch: fix uid mapping when sec=krb5 is used
9+ (LP: #1819197)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Fri, 22 Mar 2019 09:22:23 -0300
12+
13 libnfsidmap (0.25-5.1) unstable; urgency=medium
14
15 * Non-maintainer upload.
16diff --git a/debian/control b/debian/control
17index 0b140ef..283d221 100644
18--- a/debian/control
19+++ b/debian/control
20@@ -1,7 +1,8 @@
21 Source: libnfsidmap
22 Priority: optional
23 Section: libs
24-Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
25+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
26+XSBC-Original-Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
27 Build-Depends: dpkg-dev (>= 1.16.1~), debhelper (>= 9), libldap2-dev, autotools-dev, automake1.11, autoconf (>= 2.68), libtool
28 Standards-Version: 3.9.4
29 Homepage: http://www.citi.umich.edu/projects/nfsv4/linux/
30diff --git a/debian/patches/03-uid-map-krb5.patch b/debian/patches/03-uid-map-krb5.patch
31new file mode 100644
32index 0000000..2b07685
33--- /dev/null
34+++ b/debian/patches/03-uid-map-krb5.patch
35@@ -0,0 +1,30 @@
36+From 309a89975a50bf53c408233a1bb5b10fd579ca30 Mon Sep 17 00:00:00 2001
37+From: "Signed-off-by: Shijoe Panjikkaran" <spanjikk@redhat.com>
38+Date: Wed, 30 Apr 2014 13:19:34 -0400
39+Subject: [PATCH] nss: use strrchr() instead of strchr() to get the last
40+ occurrence of "@"
41+
42+Signed-off-by: Shijoe Panjikkaran <spanjikk@redhat.com>
43+Signed-off-by: Steve Dickson <steved@redhat.com>
44+
45+Origin: https://github.com/Distrotech/libnfsidmap/commit/309a89975
46+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924425
47+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libnfsidmap/+bug/1819197
48+Last-Update: 2019-03-15
49+---
50+ nss.c | 2 +-
51+ 1 file changed, 1 insertion(+), 1 deletion(-)
52+
53+diff --git a/nss.c b/nss.c
54+index b2b1227..f8129fe 100644
55+--- a/nss.c
56++++ b/nss.c
57+@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain)
58+ char *l = NULL;
59+ int len;
60+
61+- c = strchr(name, '@');
62++ c = strrchr(name, '@');
63+ if (c == NULL && domain != NULL)
64+ goto out;
65+ if (c == NULL && domain == NULL) {
66diff --git a/debian/patches/series b/debian/patches/series
67index 452e741..6a5cb27 100644
68--- a/debian/patches/series
69+++ b/debian/patches/series
70@@ -1,2 +1,3 @@
71 01-661215-wrong-double-ldap-check.patch
72 02-idmapd.conf.5.patch
73+03-uid-map-krb5.patch

Subscribers

People subscribed via source and target branches