TomK wrote: > On 3/12/2018 11:25 AM, Rob Crittenden wrote: >> TomK wrote: >>> On 3/7/2018 1:11 PM, Rob Crittenden wrote: >>> Hey Rob, >>> >>> When starting idmapd or stopping it, logs on the LDAP server don't >>> change. But UID and GID's change to nfsnobody when I set Nobody-User >>> and Nobody-Group to nfsnobody in /etc/idmapd.conf . >> >> I don't know that merely restarting the service is going to spark >> queries against LDAP. You'd probably need to do something to provoke >> that (like doing an ls). > Nothing. Once at restart of the host do I see something from ls but on > second execution of ls or any type of directory interaction, nothing > happens. Then it repeats randomly.
Can you expand on this? What are you seeing on the client side? What queries do you see in LDAP related to the request (any?) Remember that the 389-ds access log is buffered so it can take up to 30 seconds for the logs to update. rob >> >>> [General] >>> Verbosity = 9 >>> Domain = nix.my.dom >>> [Mapping] >>> Nobody-User = nfsnobody >>> Nobody-Group = nfsnobody >>> [Translation] >>> [Static] >>> [UMICH_SCHEMA] >>> LDAP_server = idmipa01.nix.my.dom >>> LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM >>> LDAP_people_base = DC=NIX,DC=MY,DC=DOM >>> LDAP_group_base = DC=NIX,DC=MY,DC=DOM >> >> The people basedn should probably be cn=users,cn=accounts,... and the >> group base cn=groups,cn=accounts,... Unles it cleverly smashes that >> together with LDAP_base, I'm not sure what it does. The 389-ds access >> logs will tell you if it is trying at all (note the logs are >> write-buffered so you won't see immediate updates). >> >> If you have compat enabled then idmapd may be getting multiple entries, >> one from cn=compat and one from the main tree and that could be >> confusing it. > No difference. Even the IP defined users are having this issue. > > However, and this may be a very dumb question, but you raised 389-ds > logs. I'm using IPA Server, not 389-ds unless you're implying I may > need packages? The IPA servers come with 389-ds-base installed but do I > need this or something else on the IPA clients as well? > > In the existing IPA logs, no other log entries corrolate with the > nfsidmapd messages on the client. > > Method = umich_ldap,nsswitch,static > GSS-Methods = umich_ldap,nsswitch,static > > However it still lists: > > Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: > user_dn : <not-supplied> > Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: > passwd : <not-supplied> > Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: > use_ssl : no > Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: > ca_cert : <not-supplied> > > and I'm not sure what variables idmapd.conf uses for password and user. > Still, I've left the LAB KDC open so no users and passes are needed for > simple lookups. > > After setting the above, the messages in the logs changed slightly: > > Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user tomk. > Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk. > Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk. > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid > value: tomk@localdomain timeout 600 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling > umich_ldap->name_to_uid > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: > umich_ldap->name_to_uid returned -2 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling > nsswitch->name_to_uid > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name > 'tomk@localdomain' domain 'nix.my.dom': resulting localname '(null)' > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name > 'tomk@localdomain' does not map into domain 'nix.my.dom' > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: > nsswitch->name_to_uid returned -22 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final > return value is -22 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling > umich_ldap->name_to_uid > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: > umich_ldap->name_to_uid returned -2 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling > nsswitch->name_to_uid > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name > 'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody' > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: > nsswitch->name_to_uid returned 0 > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final > return value is 0 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid > value: tomk@localdomain timeout 600 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling > umich_ldap->name_to_gid > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: > umich_ldap->name_to_gid returned -2 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling > nsswitch->name_to_gid > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: > nsswitch->name_to_gid returned -22 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final > return value is -22 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling > umich_ldap->name_to_gid > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: > umich_ldap->name_to_gid returned -2 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling > nsswitch->name_to_gid > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: > nsswitch->name_to_gid returned 0 > Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final > return value is 0 > > (Port 389 between client and server are open.) Seems like the line: > > Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid > value: tomk@localdomain timeout 600 > > might be to blame. It's the first line that shows localdomain, but it > should not. My hosts file: > > [root@ipaclient01 ~]# cat /etc/hosts > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.0.236 ipaclient01.nix.my.dom ipaclient01 > [root@ipaclient01 ~]# > > Guessing key get's it's info from /etc/hosts directly and I should look > at that? > > Cheers, > Tom > >> >> rob >> >>> >>> Cheers, >>> Tom >>> >>>> TomK via FreeIPA-users wrote: >>>>> Hey Guy's, >>>>> >>>>> Getting below message which in turn fails to list proper UID / GID on >>>>> NFSv4 mounts from within an unprivileged account. All files show up >>>>> with >>>>> owner and group as nobody / nobody when viewed from the client. >>>>> >>>>> Is there a way to structure /etc/idmapd.conf to allow for proper UID / >>>>> GID resolution? Or perhaps another solution? >>>>> >>>>> >>>>> [root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e "/^$/d" >>>>> [General] >>>>> Verbosity = 7 >>>>> Domain = nix.my.dom >>>>> [Mapping] >>>>> [Translation] >>>>> [Static] >>>>> [UMICH_SCHEMA] >>>>> LDAP_server = ldap-server.local.domain.edu >>>>> LDAP_base = dc=local,dc=domain,dc=edu >>>>> [root@client01 etc]# >>>>> >>>>> Mount looks like this: >>>>> >>>>> nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4 >>>>> (rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80) >>>>> >>>>> >>>>> >>>>> >>>>> /var/log/messages >>>>> >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid >>>>> value: t...@my.dom@localdomain timeout 600 >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling >>>>> nsswitch->name_to_uid >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>>>> 't...@my.dom@localdomain' domain 'nix.my.dom': resulting localname >>>>> '(null)' >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>>>> 't...@my.dom@localdomain' does not map into domain 'nix.my.dom' >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: >>>>> nsswitch->name_to_uid returned -22 >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final >>>>> return >>>>> value is -22 >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling >>>>> nsswitch->name_to_uid >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>>>> 'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody' >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: >>>>> nsswitch->name_to_uid returned 0 >>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final >>>>> return >>>>> value is 0 >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid >>>>> value: t...@my.dom@localdomain timeout 600 >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling >>>>> nsswitch->name_to_gid >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: >>>>> nsswitch->name_to_gid returned -22 >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final >>>>> return >>>>> value is -22 >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling >>>>> nsswitch->name_to_gid >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: >>>>> nsswitch->name_to_gid returned 0 >>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final >>>>> return >>>>> value is 0 >>>>> Mar 6 00:17:31 client01 systemd-logind: Removed session 23. >>>>> >>>>> >>>>> >>>>> >>>>> Result of: >>>>> >>>>> systemctl restart rpcidmapd >>>>> >>>>> /var/log/messages >>>>> ------------------- >>>>> Mar 5 23:46:12 client01 systemd: Stopping Automounts filesystems on >>>>> demand... >>>>> Mar 5 23:46:13 client01 systemd: Stopped Automounts filesystems on >>>>> demand. >>>>> Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping >>>>> service... >>>>> Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS >>>>> configuration... >>>>> Mar 5 23:48:51 client01 systemd: Started Preprocess NFS >>>>> configuration. >>>>> Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping >>>>> service... >>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using domain: >>>>> nix.my.dom >>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms list: >>>>> 'NIX.MY.DOM' >>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using >>>>> domain: nix.my.dom >>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms >>>>> list: 'NIX.MY.DOM' >>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded >>>>> plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch >>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded plugin >>>>> /lib64/libnfsidmap/nsswitch.so for method nsswitch >>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600 >>>>> seconds. >>>>> Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping >>>>> service. >>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened >>>>> /proc/net/rpc/nfs4.nametoid/channel >>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened >>>>> /proc/net/rpc/nfs4.idtoname/channel >>>>> >>>> >>>> You might be able to correlate that to the 389-ds access log to see >>>> what >>>> queries are being executed. >>>> >>>> You probably need to set LDAP_people_base and LDAP_group_base as well. >>>> >>>> I think ipa-client-automount only sets the Domain value and doesn't >>>> configure the ldap section at all. >>>> >>>> rob >>>> _______________________________________________ >>>> sssd-users mailing list -- sssd-us...@lists.fedorahosted.org >>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>> >>> >>> >> > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
