| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Labs: Reduce labstore* LDAP config to the minimum | operations/puppet | production | +114 -0 |
Details
Details
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | coren | T87870 Labs NFSv4/idmapd mess | |||
| Duplicate | coren | T95559 Disable LDAP and enable admin puppet module on labstore100[12] |
Event Timeline
Comment Actions
This will have to be done otherwise as many users are members of more than eight groups and NFS needs to be able to check group membership for permissions. Investigating alternatives.
Comment Actions
Change 207514 had a related patch set uploaded (by coren):
Labs: reconfigure LDAP to be sane on labstores
Comment Actions
A good summary of the issue:
NFS's protocol places a hard limit on the number of supplemental groups that can be sent along a transaction for permission checks (8, 12 or 16 depending on a number of negociated things at mount such as version of server and client, packet size, etc). As we use group membership for membership to projects, service groups, and a number of other things, pretty much all users have more than 8 groups and most have more than 12 or 16.
This breaks NFS permission checks.
The NFS server provides another mechanism to check for group permissions to entirely circumvent that protocol limitation: check for what groups a user is a member of on the server side. That does, however, require that the server has access to the group list and the users that are member of those groups.
Short story: the NFS server must "see" the groups and users from LDAP.
The attached patch includes the absolute minimum nslcd config to have both ldap users and groups visible via get*ent() without (a) interfering with puppet managing named accounts, and (b) without having an impact on server security and authorization.
(a) is done by renaming the accounts to their numeric ids. So that the account 'marc' coming from ldap is named '2138' on labstore*, for instance (likewise with the groups). Because nsswitch.conf is configured to use files before ldap, puppet is free to manage an account named 'marc' in /etc/passwd without interference.
(b) is done by:
- not getting the shadow table from ldap at all;
- forcibly setting the shell of ldap accounts to /dev/null; and
- not enabing PAM logins for LDAP accounts
Comment Actions
I don't have any comments on the issue at hand yet, but a couple of meta-issues:
- This description should be in the commit message (and should have been in the first place, as the commit was very confusing by itself)
- I don't understand why this is a separate task from T87870. Given that this wasn't created as a subtask either and I wasn't manually added to Cc, I totally missed the summary until now where I accidentally bumped into this :(
Comment Actions
Change 207514 abandoned by coren:
Labs: Reduce labstore* LDAP config to the minimum
Reason:
A better way to do this was concocted by Faidon.