Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

Thu, 08 Dec 2016 02:30:58 -0800 

> -----Original Message-----
> From: David Kupka [mailto:dku...@redhat.com]
> Sent: 8. december 2016 09:40
> To: Bjarne Blichfeldt <b...@jndata.dk>; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly
> create users, however user id is correct
> 
> On 08/12/16 08:57, Bjarne Blichfeldt wrote:
> > Anybody have any suggestion as how to continue debugging this? The nfs 
> > server
> resolves usernames by loopkup in free-ipa lda.
> >
> > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no 
> > idea if that
> is relevant. Are there some update ldap procedure I am missing? Just in case 
> I ran
> a ipa-server-upgrade, which did not resolve the issue.
> >
> >
:snip
> >
> >
> 
> Hello,
> I'm almost sure that 'krbcanonicalname' has nothing to do with this.
> Adding krbcanonicalname attribute was done to allow principal aliases 
> (multiple
> kerberos principals for one user/host/service), see [1] for details.
> 
> Unfortunately, I don't know what's wrong. SSSD is taking care of resolving 
> users
> and groups on enrolled systems. "id mgm" should output something like
> "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly.
> 
> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> 
> --
> David Kupka

Thank you for that info. That led me somewhat further by increasing the debug 
on sssd which led me to :

Dec  8 10:42:48 client nfsidmap[6663]: key: 0xae72f5 type: uid value: 
m...@realm.com timeout 600
Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: calling 
nsswitch->name_to_uid
Dec  8 10:42:48 client nfsidmap[6663]: nss_getpwnam: name 'm...@realm.com' 
domain 'REALM.COM': resulting localname 'mqm2'
Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: nsswitch->name_to_uid 
returned 0
Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: final return value is 0

Dec  8 10:42:48 client nfsidmap[6665]: key: 0xf56593 type: gid value: Null 
timeout 600
                                                                                
           ^^^^^^^^^
Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: calling 
nsswitch->name_to_gid
Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: nsswitch->name_to_gid 
returned -22
Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: final return value is 
-22Seems nfsidmap is not called with a gid value.

It seems nfsidmap is not called with a proper gid.
hm, the saga continues...

-- 
Regards
Bjarne Blichfeldt.




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... Bjarne Blichfeldt
      • ... David Kupka
        • ... Bjarne Blichfeldt
          • ... Lukas Slebodnik

Reply via email to