On 06/04/2014 09:57 AM, Johan Petersson wrote:
Yes the message is exactly like that with commas, I double checked.
To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to
Local-Realms in idmap.conf might help?
I did on all machines and got rid of that specific message but I still get user
nobody unfortunately.
Here are logs from when I did a su - adt...@ad.home@linux.home with both
AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
Client:
Jun 4 15:30:13 client su: (to adt...@ad.home) linux on pts/0
Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value:
adt...@ad.home@linux.home timeout 600
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid
returned -22
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is
-22
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid
returned 0
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0
Do we have a corresponding SSSD trace that shows the actual process of
the resolution?
NFS Server:
Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling
nsswitch->uid_to_name
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name
returned 0
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0
Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name
"adt...@ad.home@linux.home"
Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling
nsswitch->gid_to_name
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name
returned 0
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0
Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name
"ad_us...@linux.home"
The group ad_users is a IPA group with external maps from AD Domain users.
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Wednesday, June 04, 2014 3:14 PM
To: Johan Petersson
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Wed, 04 Jun 2014, Johan Petersson wrote:
Mail got posted before I was finished sorry.
I found one clue to the issue after increasing autofs logging to debug and as i
thought it has to do with id-mapping.
>From /var/log/messages:
Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map
into domain 'linux.home,'
Are you sure the message is exactly like this, with a comma after linux.home?
The reason I'm asking is because the code that prints the message looks like
this:
localname = strip_domain(name, domain);
IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "
"resulting localname '%s'\n", name, domain, localname));
if (localname == NULL) {
IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "
"into domain '%s'\n", name,
domain ? domain : "<not-provided>"));
goto err_free_buf;
}
note that it doesn't have comma anywhere in the string printed.
Can you please increase the log level to 4 so that we can see the first string
(nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be
[general]
Verbosity = 4
in /etc/idmapd.conf
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
Sent: Wednesday, June 04, 2014 12:02 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client
NFS with automounted krb5p Home Directories work for IPA users.
sssd-1.11.2-65.el7.x86_64
id adt...@ad.home<mailto:adt...@ad.home>
uid=497801107(adt...@ad.home<mailto:adt...@ad.home>)
gid=497801107(adt...@ad.home<mailto:adt...@ad.home>)
groups=497801107(adt...@ad.home),497800513(domain<mailto:adt...@ad.home
),497800513(domain> us...@ad.home<mailto:us...@ad.home>)
getent passwd adt...@ad.home<mailto:adt...@ad.home>
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest>:
klist after kinit adt...@ad.home<mailto:adt...@ad.home>
[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.home<mailto:adt...@ad.home>
Valid starting Expires Service principal
06/04/14 11:28:35 06/04/14 21:28:35
krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home>
renew until 06/05/14 11:28:30, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
klist after ssh
adt...@ad.home@ipa.linux.home<mailto:adt...@ad.home@ipa.linux.home>
klist
Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
Default principal: adt...@ad.home<mailto:adt...@ad.home>
Valid starting Expires Service principal
06/04/14 11:35:16 06/04/14 21:35:16
nfs/share.linux.h...@linux.home<mailto:nfs/share.linux.h...@linux.home>
renew until 06/05/14 11:28:30
06/04/14 11:35:16 06/04/14 21:35:16
krbtgt/linux.h...@ad.home<mailto:krbtgt/linux.h...@ad.home>
renew until 06/05/14 11:28:30
06/04/14 11:28:35 06/04/14 21:35:16
krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home>
renew until 06/05/14 11:28:30
Home Directory gets mounted by autofs through sssd but user:group is both
nobody.
The Client's sssd.conf:
[domain/linux.home]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.home
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.linux.home
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.linux.home
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
subdomains_provider = ipa
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2
domains = linux.home
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
From:
freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.co
m>
[mailto:freeipa-users-boun...@redhat.com]<mailto:[mailto:freeipa-users-
boun...@redhat.com]> On Behalf Of Dmitri Pal
Sent: Tuesday, June 03, 2014 6:48 PM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 06/03/2014 09:07 AM, Johan Petersson wrote:
Hi,
Environment:
RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7
NFS Server RHEL 7 Client
I have found one problem when using a NFS 4 shared Home Directory for AD users
logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with
adt...@adexample.org<mailto:adt...@adexample.org>
The problem is that I can add the AD user as owner of his Home Directory and if I log in
to the NFS Server locally or through ssh permissions are correct but when logging in to
any other computer i get "nobody" as owner.
Are those computers RHEL7 NFS clients with SSSD?
Can you describe them in more details please?
Groups are no problem since AD groups can be mapped to Posix groups.
Idmap.conf domain is set to the IPA Domain.
Is there some way to get NFS working with the AD user as owner of his Home
Directory?
Thanks for any help.
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using,
copying or disseminating it or any information in it. Please notify the above
if any misdirection.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
/ Alexander Bokovoy
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
