On (08/12/16 10:24), Bjarne Blichfeldt wrote: >> -----Original Message----- >> From: David Kupka [mailto:dku...@redhat.com] >> Sent: 8. december 2016 09:40 >> To: Bjarne Blichfeldt <b...@jndata.dk>; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly >> create users, however user id is correct >> >> On 08/12/16 08:57, Bjarne Blichfeldt wrote: >> > Anybody have any suggestion as how to continue debugging this? The nfs >> > server >> resolves usernames by loopkup in free-ipa lda. >> > >> > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no >> > idea if that >> is relevant. Are there some update ldap procedure I am missing? Just in case >> I ran >> a ipa-server-upgrade, which did not resolve the issue. >> > >> > >:snip >> > >> > >> >> Hello, >> I'm almost sure that 'krbcanonicalname' has nothing to do with this. >> Adding krbcanonicalname attribute was done to allow principal aliases >> (multiple >> kerberos principals for one user/host/service), see [1] for details. >> >> Unfortunately, I don't know what's wrong. SSSD is taking care of resolving >> users >> and groups on enrolled systems. "id mgm" should output something like >> "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly. >> >> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases >> >> -- >> David Kupka > >Thank you for that info. That led me somewhat further by increasing the debug >on sssd which led me to : > >Dec 8 10:42:48 client nfsidmap[6663]: key: 0xae72f5 type: uid value: >m...@realm.com timeout 600 >Dec 8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: calling >nsswitch->name_to_uid >Dec 8 10:42:48 client nfsidmap[6663]: nss_getpwnam: name 'm...@realm.com' >domain 'REALM.COM': resulting localname 'mqm2' >Dec 8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: nsswitch->name_to_uid >returned 0 >Dec 8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: final return value is >0 > >Dec 8 10:42:48 client nfsidmap[6665]: key: 0xf56593 type: gid value: Null >timeout 600 > > ^^^^^^^^^ >Dec 8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: calling >nsswitch->name_to_gid >Dec 8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: nsswitch->name_to_gid >returned -22 >Dec 8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: final return value is >-22Seems nfsidmap is not called with a gid value. > >It seems nfsidmap is not called with a proper gid. >hm, the saga continues... > You might want to use sss nfsidmap plugin. * set method in /etc/idmap.conf to sss * restart nfsidmapd
BTW In fedora and sssd-1.14 + it is part of recomended package sssd-nfs-idmap (weak dependency) older versions and other distributions might have packages in sssd-common /usr/lib64/libnfsidmap/sss.so LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project