I found one clue to the issue and as i thought it has to do with m From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.home<mailto:adt...@ad.home> uid=497801107(adt...@ad.home<mailto:adt...@ad.home>) gid=497801107(adt...@ad.home<mailto:adt...@ad.home>) groups=497801107(adt...@ad.home),497800513(domain<mailto:adt...@ad.home),497800513(domain> us...@ad.home<mailto:us...@ad.home>) getent passwd adt...@ad.home<mailto:adt...@ad.home> adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest>: klist after kinit adt...@ad.home<mailto:adt...@ad.home> [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.home<mailto:adt...@ad.home> Valid starting Expires Service principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home> renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt...@ad.home@ipa.linux.home<mailto:adt...@ad.home@ipa.linux.home> klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adt...@ad.home<mailto:adt...@ad.home> Valid starting Expires Service principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.h...@linux.home<mailto:nfs/share.linux.h...@linux.home> renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/linux.h...@ad.home<mailto:krbtgt/linux.h...@ad.home> renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home> renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [mailto:freeipa-users-boun...@redhat.com]<mailto:[mailto:freeipa-users-boun...@redhat.com]> On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.org<mailto:adt...@adexample.org> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users