Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Thu, Jun 26, 2014 at 06:42:37PM -0400, Simo Sorce wrote: > On Thu, 2014-06-26 at 22:02 +, Nordgren, Bryce L -FS wrote: > > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work. > > > > If someone can educate me as to why there are two @ signs in the above, I > > can fix the wiki page > > (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts) > > > > I know about individual cross-realm principals, > > > > adtest/ad.example@ipa.example.org > > > > And I know about cross-realm trust principals: > > > > krbtgt/ad.example@ipa.example.org > > > > But I was under the impression that if a user traversed a trust, their > > client principal name would still be adt...@ad.example.org . I am not aware > > of any circumstances which would produce a client principal with two "@" > > signs in it. Pls fix my ignorance. > > The second @ is not provided by kerberos, it is rpcimapd making false > assumptions, it does a getpwuid and gets back adt...@ad.example.org as > the username, to which it decides to slap on the local REALM name with > an @ sign in between. > > I think this is something that may be handled with imapd.conf > configuration. > > Simo. Would the idmap sss module we have on the list pending review help here? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Thu, Jun 26, 2014 at 09:04:41PM +, Johan Petersson wrote:
> Hi,
>
> First i wish to thank everybody that helped me out trying to solve this issue
> and i also wish to inform that NFS 4 does not work with AD users through an
> AD and IPA trust at the moment for RHEL 6 and 7.
>
> The reason is that rpcidmapd` does not parse fully-qualified usernames
> so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work.
> The client-side code is stripping the domain off based on the location of
> the first "@" character in the value returned by the server. This results in
> UID/GID mappings failing and resulting in ownership on the clients of
> "nobody".
Thank you for the feedback. FYI there is a rpc.idmapd plugin for SSSD
(https://fedorahosted.org/sssd/wiki/DesignDocs/rpc.idmapd%20plugin)
currently under review
(https://lists.fedorahosted.org/pipermail/sssd-devel/2014-June/020384.html)
I'll try to find some time early next week to test if this will help
with your use-case.
bye,
Sumit
>
> Regards,
> Johan
>
> From: Dmitri Pal [d...@redhat.com]
> Sent: Thursday, June 05, 2014 21:03
> To: Johan Petersson; Alexander Bokovoy
> Cc: Sumit Bose; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
> On 06/04/2014 09:57 AM, Johan Petersson wrote:
> > Yes the message is exactly like that with commas, I double checked.
> >
> > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to
> > Local-Realms in idmap.conf might help?
> >
> > I did on all machines and got rid of that specific message but I still get
> > user nobody unfortunately.
> >
> > Here are logs from when I did a su - adt...@ad.home@linux.home with both
> > AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
> >
> > Client:
> > Jun 4 15:30:13 client su: (to adt...@ad.home) linux on pts/0
> > Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value:
> > adt...@ad.home@linux.home timeout 600
> > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
> > nsswitch->name_to_gid
> > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid:
> > nsswitch->name_to_gid returned -22
> > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value
> > is -22
> > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
> > nsswitch->name_to_gid
> > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid:
> > nsswitch->name_to_gid returned 0
> > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value
> > is 0
>
> Do we have a corresponding SSSD trace that shows the actual process of
> the resolution?
>
>
> >
> > NFS Server:
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p
> > authtype=user
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling
> > nsswitch->uid_to_name
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name:
> > nsswitch->uid_to_name returned 0
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return
> > value is 0
> > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" ->
> > name "adt...@ad.home@linux.home"
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p
> > authtype=group
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling
> > nsswitch->gid_to_name
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name:
> > nsswitch->gid_to_name returned 0
> > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return
> > value is 0
> > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "112005" ->
> > name "ad_us...@linux.home"
> >
> > The group ad_users is a IPA group with external maps from AD Domain users.
> >
> > -Original Message-
> > From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> > Sent: Wednesday, June 04, 2014 3:14 PM
> > To: Johan Petersson
> > Cc: d...@redhat.com; freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> >
> > On Wed, 04 Jun 2014, Johan Petersson wrote:
> >> Mail got posted before I was finished sorry.
> >>
> >> I found one clue to the issue after increasing autofs logging to debug and
> >> as i thought it has to do with id-mapping.
> >>
> >> >From /var/log/messages:
> >>
> >> Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not
> >> map into domain 'linux.home,'
> > Are you sure the message is exactly like this, with a comma after
> > linux.home?
> >
> > The reason I'm asking is because the code that prints the message looks
> > like this:
> >
> > localname = strip_domain(name, domain);
> > IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "
> >"resulting localname '%s'\n", name, domain, localname));
> > if (localname == NULL) {
> > IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "
> > "into domain '%s'\n", name,
> > domain ? domain : "")
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Fri, 2014-06-27 at 00:10 +, Nordgren, Bryce L -FS wrote: > Also: > http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 > > Never became an RFC, but cites Simo's I-D on a Kerberos PAC. > > I like the CITI approach better (also approach 2 of section 6 in the > above I-D). I have no use for the groups defined in my active > directory. Also, for the external collaboration case, my AD may not be > accessible to an NFS server outside the firewall. > > However, if (?) support for an NFSRemoteUser schema is lacking in > FreeIPA, and if AD is accessible to both client and server, it seems > that approach 3 of section 6 above would be the answer? Somehow > configure idmap.conf (on NFS clients and servers) to directly query > AD? Does that seem correct? I honestly think (and gave this feedback to the authors in the past) that trying to standardize on LDAP in an NFS document is wrong, it should be implementation specific. I think NFS should define roughly how a mapping service should behave, but should not try to dictate how Directory services can/should be used, the variation and modes of use is just too big in the real world, and keeps changing. Moreover it is already incorrect to believe all identities can be resolved by contacting a single LDAP server (AD trusted forests as an example), and that the LDAP server can actually fully resolve group memberships (again AD, and even FreeIPA when trusting AD forests) without using custom operations possible only fully correct when run by the KDC (or other RPC service, again see AD). In the FreeIPA case for example we do not (normally) convey AD groups to the service and instead map (some of) them into FreeIPA external groups, a client that tries to query directly the AD service (assuming you have direct access which is often not true) would not get cross-realm group memberships as defined in the IPA server and would therefore cause issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Thu, 2014-06-26 at 23:21 +, Nordgren, Bryce L -FS wrote: > > The second @ is not provided by kerberos, it is rpcimapd making false > > assumptions, it does a getpwuid and gets back adt...@ad.example.org as > > the username, to which it decides to slap on the local REALM name with an @ > > sign in between. > > > > I think this is something that may be handled with imapd.conf configuration. > > Muchas gracias. This makes sense. > > Found an old presentation on the topic [1]. Slide 15 is particularly > relevant. Slide 4, however, taught me something I didn't know: NFS > wants to deal with NFSv4 domain names (slide 3), which can be > different than GSS principal names (Kerberos principals). There is > only one NFS domain, but there can be multiple security realms and > multiple DNS domains (slide 2). > > The crux of this is on slide 14: "Need to add posixAccount with > GSSAuthName for UID/GID mapping of remote user". Is this another use > case for views? Yes, it *may* be. > What I'm not quite clear on is the interaction between idmapd and ldap > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" > schema on the LDAP server? Is this schema something that FreeIPA would > have to support for NFS to work with cross-realm trusts? Or has the > landscape changed since this 2005 presentation? The landscape has changed and evolved, and I never really saw adoption of this CITI proposal myself. It may have happened somewhere I guess, but I do not think it is prevalent. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.
Hi Fredy, We have integrated our Mac Worstations (Mountain Lion and Maverick) with FreeIPA with good success except for password change. Does your method allows users to change their password through the OSX interface for example when a new user is created and logs in for the first time? For now we need to have our users go through the web interface of a different workstation to change their newly created account password. At this point that is the only thing that still doesn’t work for us. Davis Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 From: Simo Sorce s...@redhat.com Reply: Simo Sorce s...@redhat.com Date: April 16, 2014 at 18:06:27 To: Fredy Sanchez fredy.sanc...@modmed.com Cc: Guillermo Fuentes guillermo.fuen...@modernizingmedicine.com, freeipa-users@redhat.com freeipa-users@redhat.com Subject: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing. Good! And thanks for letting us know, it may help other users too. Simo. On Wed, 2014-04-16 at 17:58 -0400, Fredy Sanchez wrote: > Hi Simo, > > Thanks for your reply. Good old Google pointed me to > https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-ldap_bind_script/Mac_OpenLDAP_bind_script.sh, > > which gave me the idea of > updating the RealName mapping to displayName. This solved the problem, I'll > have to recreate the permissions for every share, but the user names now > show up, and stick. No more UIDs. > > > On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce wrote: > > > On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: > > > Hi all, > > > > > > We asked this same question at discussions.apple.com, but figured we'd > > have > > > better luck here. I apologize in advance if this is the wrong forum. > > > > > > We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. > > running > > > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA > > (ipa-server.x86_64 > > > 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly > > > bound to it. Unfortunately, although we can add usernames to the shares > > for > > > the initial config, the usernames transform to UIDs after (only for SSO > > > accounts; local accounts are not affected). That is, when we go to edit > > the > > > permissions for a share, all we see are UIDs. We can always figure out > > the > > > username from the UID, but this is an extra step we don't want to have. > > > We've tried reinstalling the Mac server app from scratch, re-binding to > > the > > > FreeIPA backend, changing mappings in Directory Utility (for example, > > > mapping GeneratedUID to uid, which is the username), recreating the > > shares > > > and permissions, etc. Here are more details about the binding: > > > > > > * The binding happens thru a custom package we created based primarily on > > > > > > > > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > > > > > * Sys Prefs, Users & Groups, Login Options show the server bound to the > > > FreeIPA backend with the green dot > > > * The following mappings are in place in Directory Utility, Services, > > > LDAPv3, FreeIPA backend > > > > > > Users: inetOrgPerson > > > AuthenticationAuthority: uid > > > GeneratedUID: random number in uppercase > > > HomeDirectory: #/Users/$uid$ > > > NFSHomeDirectory: #/Users/$uid$ > > > OriginalHomeDirectory: #/Users/$uid$ > > > PrimaryGroupID: gidNumber > > > RealName: cn > > > RecordName: uid > > > UniqueID: uidNumber > > > UserShell: loginShell > > > Groups: posixgroup > > > PrimaryGroupID: gidNumber > > > RecordName: cn > > > > > > The search bases are correct > > > > > > * Directory Utility, Directory Editor shows the right info for the users. > > > > > > * $ id $USERNAME shows the right information for the user > > > > > > FreeIPA is working beautifully for our Mac / Linux environment. We > > provide > > > directory services to about 300 hosts, and 200 employees using it; and > > > haven't had any problems LDAP wise until now. So we think we are missing > > a > > > mapping here. Any ideas? > > > > Fredy, > > I quickly tried to check for some documentation on how to configure this > > stuff, but found only useless superficial guides on how to find the > > pointy/clicky buttons to push to enable the service. > > > > I am not a Mac expert by a long shot so I cannot help you much here. > > > > Is there any guide available on how to use this service with other LDAP > > servers, like openLDAP or Active Directory ? We can probably draw some > > conclusions from there. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- Simo Sorce * Red Hat, Inc * New York __
[Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline
Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline
Hi, Probably there are better ways to solve this issue but the way that works for me is to validate the trust from the AD side after a reboot of the IPA Server - it always shows as offline for me too. On 2012 Server you can do this through Active Directory Domains and Trusts - properties on your domain and go to trust tab - properties again. Next you press validate on the General tab. AD will ask for authentication but that can be skipped. AD Trust will be back online right away and you can check it through wbinfo --online-status. Probably the procedure are similar on Server 2008. Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Mark Gardner [malek...@gmail.com] Sent: Friday, June 27, 2014 20:23 To: freeipa-users Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> Would the idmap sss module we have on the list pending review help here? My read of the design page suggests that the plugin is 66% of a solution. There are three types of identities which need to be related: * local machine accounts/identities (meaningful to the filesystem) * security principals (Kerberos or pki) * NFSv4 identities (the u...@example.com string NFS sends over the wire) I see the first two represented on the design, but not the last. I suspect that this means that the plugin regards security principals and NFSv4 identities as the same thing, which may mean it won't work for multiple domains? Let me turn the question on its head: according to the OP, the NFS server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user principals are from realm AD.EXAMPLE.ORG. Would your plugin work? What happens to your plugin if either the client or the server (but only one) moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals to NFS principals regardless of where it is running? I have a more basic confusion though: I can't tell from the design page whether rpc.idmapd is using sssd to get ids or vice versa... Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> -Original Message- > > What I'm not quite clear on is the interaction between idmapd and ldap > > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" > > schema on the LDAP server? Is this schema something that FreeIPA would > > have to support for NFS to work with cross-realm trusts? Or has the > > landscape changed since this 2005 presentation? > > The landscape has changed and evolved, and I never really saw adoption of > this CITI proposal myself. It may have happened somewhere I guess, but I do > not think it is prevalent. Poking a little more, I'm seeing something pretty similar to this proposal in the UMICH_SCHEMA section here: http://linux.die.net/man/5/idmapd.conf This appears to be the same man page which ships with Fedora 20. It looks like it's configurable, with the defaults being more or less the attributes mentioned in the 2005 powerpoint... If views were to support these attributes, external security principals could have a nice centralized mapping to NFS for the freeipa managed linux environment... Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
