Hi Jakub, Good to know about the patch. It's unfortunate I can get a faster and more detailed answer via the mailing list than GSS. Since I can't access the bugzilla, any idea if it's targeted at RHEL7 as well?
/aron ________________________________________ From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, July 16, 2014 2:19 AM To: Parsons, Aron Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 16 Jul 2014, at 03:29, Parsons, Aron <parso...@bit-sys.com> wrote: > I ran into this issue last fall and have been running with a patched > libnfsidmap since November while our support case with Red Hat waits on a > resolution (pretty much have given up hope at this point). It's a trivial > patch and removes the assumption that only one @ can be present in a username. > > With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 > and EL7 in multiple environments all using NFSv4 mounts with ID mapping > enabled. We have experienced zero issues with this patch applied. Without > it, the AD trust setup is a no-go in any sort of real environment since NFSv4 > is broken. > > If you'd like to reference our support case, it's #00983906. Patch is > included below. > > /aron > Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6.. > >> From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001 > From: Aron Parsons <parso...@bit-sys.com> > Date: Fri, 15 Nov 2013 14:43:10 -0500 > Subject: [PATCH] account for usernames with @ in them > > --- > libnfsidmap/nss.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c > index 04aff19..f9ad4be 100644 > --- a/libnfsidmap/nss.c > +++ b/libnfsidmap/nss.c > @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char > *domain) > char *l = NULL; > int len; > > - c = strchr(name, '@'); > + c = strrchr(name, '@'); > if (c == NULL && domain != NULL) > goto out; > if (c == NULL && domain == NULL) { > -- > 1.7.1 > > ----- > Hi, > > First i wish to thank everybody that helped me out trying to solve this issue > and i also wish to inform that NFS 4 does not work with AD users through an > AD and IPA trust at the moment for RHEL 6 and 7. > > The reason is that rpcidmapd` does not parse fully-qualified usernames > so"adtest AD EXAMPLE o...@ipa.example.org" does not work. > The client-side code is stripping the domain off based on the location of the > first "@" character in the value returned by the server. This results in > UID/GID mappings failing and resulting in ownership on the clients of > "nobody". > > Regards, > Johan > > From: Dmitri Pal [dpal redhat com] > Sent: Thursday, June 05, 2014 21:03 > To: Johan Petersson; Alexander Bokovoy > Cc: Sumit Bose; freeipa-users redhat com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On 06/04/2014 09:57 AM, Johan Petersson wrote: >> Yes the message is exactly like that with commas, I double checked. >> >> To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to >> Local-Realms in idmap.conf might help? >> >> I did on all machines and got rid of that specific message but I still get >> user nobody unfortunately. >> >> Here are logs from when I did a su - adtest AD h...@linux.home with both >> AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. >> >> Client: >> Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0 >> Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: >> adtest ad h...@linux.home timeout 600 >> Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling >> nsswitch->name_to_gid >> Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: >> nsswitch->name_to_gid returned -22 >> Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value >> is -22 >> Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling >> nsswitch->name_to_gid >> Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: >> nsswitch->name_to_gid returned 0 >> Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value >> is 0 > > Do we have a corresponding SSSD trace that shows the actual process of > the resolution? > > >> >> NFS Server: >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p >> authtype=user >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling >> nsswitch->uid_to_name >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: >> nsswitch->uid_to_name returned 0 >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value >> is 0 >> Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> >> name "adtest ad h...@linux.home" >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p >> authtype=group >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling >> nsswitch->gid_to_name >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: >> nsswitch->gid_to_name returned 0 >> Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value >> is 0 >> Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> >> name "ad_users linux home" >> >> The group ad_users is a IPA group with external maps from AD Domain users. >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:abokovoy redhat com] >> Sent: Wednesday, June 04, 2014 3:14 PM >> To: Johan Petersson >> Cc: dpal redhat com; freeipa-users redhat com >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> On Wed, 04 Jun 2014, Johan Petersson wrote: >>> Mail got posted before I was finished sorry. >>> >>> I found one clue to the issue after increasing autofs logging to debug and >>> as i thought it has to do with id-mapping. >>> >>>> From /var/log/messages: >>> >>> Nfsidmap[1696]: nss_getpwnam: name 'adtest ad h...@linux.home,' does not >>> map into domain 'linux.home,' >> Are you sure the message is exactly like this, with a comma after linux.home? >> >> The reason I'm asking is because the code that prints the message looks like >> this: >> >> localname = strip_domain(name, domain); >> IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " >> "resulting localname '%s'\n", name, domain, localname)); >> if (localname == NULL) { >> IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " >> "into domain '%s'\n", name, >> domain ? domain : "<not-provided>")); >> goto err_free_buf; >> } >> >> note that it doesn't have comma anywhere in the string printed. >> >> Can you please increase the log level to 4 so that we can see the first >> string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it >> would be >> >> [general] >> Verbosity = 4 >> >> in /etc/idmapd.conf >> >> >> >>> >>> From: freeipa-users-bounces redhat com >>> [mailto:freeipa-users-bounces redhat com] On Behalf Of Johan Petersson >>> Sent: Wednesday, June 04, 2014 12:02 PM >>> To: dpal redhat com; freeipa-users redhat com >>> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >>> >>> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. >>> >>> >>> server.ad.home = AD Server >>> share.linux.home = NFS Server >>> ipa.linux.home = IPA Server >>> client.linux.home = Client >>> >>> NFS with automounted krb5p Home Directories work for IPA users. >>> >>> sssd-1.11.2-65.el7.x86_64 >>> >>> id adtest AD HOME<mailto:adtest AD HOME> >>> uid=497801107(adtest ad home<mailto:adtest ad home>) >>> gid=497801107(adtest ad home<mailto:adtest ad home>) >>> groups=497801107(adtest ad home),497800513(domain<mailto:adtest ad home >>> ),497800513(domain> users ad home<mailto:users ad home>) >>> >>> getent passwd adtest AD HOME<mailto:adtest AD HOME> >>> adtest ad home:*:497801107:497801107::/home/ad.home/adtest<mailto:adtest ad >>> home:*:497801107:497801107::/home/ad.home/adtest>: >>> >>> klist after kinit adtest AD HOME<mailto:adtest AD HOME> >>> >>> [root client ~]# klist -e >>> Ticket cache: KEYRING:persistent:0:0 >>> Default principal: adtest AD HOME<mailto:adtest AD HOME> >>> >>> Valid starting Expires Service principal >>> 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD HOME AD >>> HOME<mailto:krbtgt/AD HOME AD HOME> >>> renew until 06/05/14 11:28:30, Etype (skey, tkt): >>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>> >>> klist after ssh >>> adtest AD h...@ipa.linux.home<mailto:adtest AD h...@ipa.linux.home> >>> >>> klist >>> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >>> Default principal: adtest AD HOME<mailto:adtest AD HOME> >>> >>> Valid starting Expires Service principal >>> 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share linux home LINUX >>> HOME<mailto:nfs/share linux home LINUX HOME> >>> renew until 06/05/14 11:28:30 >>> 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX HOME AD >>> HOME<mailto:krbtgt/LINUX HOME AD HOME> >>> renew until 06/05/14 11:28:30 >>> 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD HOME AD >>> HOME<mailto:krbtgt/AD HOME AD HOME> >>> renew until 06/05/14 11:28:30 >>> >>> Home Directory gets mounted by autofs through sssd but user:group is both >>> nobody. >>> >>> The Client's sssd.conf: >>> >>> [domain/linux.home] >>> >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = linux.home >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> ipa_hostname = client.linux.home >>> chpass_provider = ipa >>> ipa_dyndns_update = True >>> ipa_server = _srv_, ipa.linux.home >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> autofs_provider = ipa >>> ipa_automount_location = default >>> subdomains_provider = ipa >>> [sssd] >>> services = nss, pam, autofs, ssh >>> config_file_version = 2 >>> >>> domains = linux.home >>> [nss] >>> >>> [pam] >>> >>> [sudo] >>> >>> [autofs] >>> >>> [ssh] >>> >>> [pac] >>> >>> >>> From: >>> freeipa-users-bounces redhat com<mailto:freeipa-users-bounces redhat co >>> m> >>> [mailto:freeipa-users-bounces redhat com]<mailto:[mailto:freeipa-users- >>> bounces redhat com]> On Behalf Of Dmitri Pal >>> Sent: Tuesday, June 03, 2014 6:48 PM >>> To: freeipa-users redhat com<mailto:freeipa-users redhat com> >>> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >>> >>> On 06/03/2014 09:07 AM, Johan Petersson wrote: >>> Hi, >>> >>> Environment: >>> >>> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 >>> NFS Server RHEL 7 Client >>> >>> I have found one problem when using a NFS 4 shared Home Directory for AD >>> users logging in to IPA. >>> I have created a NFS share /home/adexample.org and use autofs map in IPA. >>> All wbinfo tests works as well as id. >>> I can login fine through SSH and Shell with >>> adtest adexample org<mailto:adtest adexample org> >>> The problem is that I can add the AD user as owner of his Home Directory >>> and if I log in to the NFS Server locally or through ssh permissions are >>> correct but when logging in to any other computer i get "nobody" as owner. >>> Are those computers RHEL7 NFS clients with SSSD? >>> Can you describe them in more details please? >>> >>> Groups are no problem since AD groups can be mapped to Posix groups. >>> >>> Idmap.conf domain is set to the IPA Domain. >>> >>> Is there some way to get NFS working with the AD user as owner of his Home >>> Directory? >>> >>> Thanks for any help. >>> >>> >>> This e-mail is private and confidential between the sender and the >>> addressee. >>> In the event of misdirection, the recipient is prohibited from using, >>> copying or disseminating it or any information in it. Please notify the >>> above if any misdirection. >>> >>> >>> >>> _______________________________________________ >>> >>> Freeipa-users mailing list >>> >>> Freeipa-users redhat com<mailto:Freeipa-users redhat com> >>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> >>> Thank you, >>> >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager IdM portfolio >>> >>> Red Hat, Inc. >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users redhat com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> / Alexander Bokovoy > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project