Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Hi Jakub,
Good to know about the patch. It's unfortunate I can get a faster and more
detailed answer via the mailing list than GSS. Since I can't access the
bugzilla, any idea if it's targeted at RHEL7 as well?
/aron
From: Jakub Hrozek [jhro...@redhat.com]
Sent: Wednesday, July 16, 2014 2:19 AM
To: Parsons, Aron
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 16 Jul 2014, at 03:29, Parsons, Aron parso...@bit-sys.com wrote:
I ran into this issue last fall and have been running with a patched
libnfsidmap since November while our support case with Red Hat waits on a
resolution (pretty much have given up hope at this point). It's a trivial
patch and removes the assumption that only one @ can be present in a username.
With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6
and EL7 in multiple environments all using NFSv4 mounts with ID mapping
enabled. We have experienced zero issues with this patch applied. Without
it, the AD trust setup is a no-go in any sort of real environment since NFSv4
is broken.
If you'd like to reference our support case, it's #00983906. Patch is
included below.
/aron
Hi Aron,
the support case you referenced is linked to bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for
RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch
will be released in 6.6..
From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001
From: Aron Parsons parso...@bit-sys.com
Date: Fri, 15 Nov 2013 14:43:10 -0500
Subject: [PATCH] account for usernames with @ in them
---
libnfsidmap/nss.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c
index 04aff19..f9ad4be 100644
--- a/libnfsidmap/nss.c
+++ b/libnfsidmap/nss.c
@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char
*domain)
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL domain != NULL)
goto out;
if (c == NULL domain == NULL) {
--
1.7.1
-
Hi,
First i wish to thank everybody that helped me out trying to solve this issue
and i also wish to inform that NFS 4 does not work with AD users through an
AD and IPA trust at the moment for RHEL 6 and 7.
The reason is that rpcidmapd` does not parse fully-qualified usernames
soadtest AD EXAMPLE o...@ipa.example.org does not work.
The client-side code is stripping the domain off based on the location of the
first @ character in the value returned by the server. This results in
UID/GID mappings failing and resulting in ownership on the clients of
nobody.
Regards,
Johan
From: Dmitri Pal [dpal redhat com]
Sent: Thursday, June 05, 2014 21:03
To: Johan Petersson; Alexander Bokovoy
Cc: Sumit Bose; freeipa-users redhat com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 06/04/2014 09:57 AM, Johan Petersson wrote:
Yes the message is exactly like that with commas, I double checked.
To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to
Local-Realms in idmap.conf might help?
I did on all machines and got rid of that specific message but I still get
user nobody unfortunately.
Here are logs from when I did a su - adtest AD h...@linux.home with both
AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
Client:
Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0
Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value:
adtest ad h...@linux.home timeout 600
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
nsswitch-name_to_gid
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid:
nsswitch-name_to_gid returned -22
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value
is -22
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
nsswitch-name_to_gid
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid:
nsswitch-name_to_gid returned 0
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value
is 0
Do we have a corresponding SSSD trace that shows the actual process of
the resolution?
NFS Server:
Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p
authtype=user
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling
nsswitch-uid_to_name
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name:
nsswitch-uid_to_name returned 0
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value
is 0
Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 -
name adtest ad h...@linux.home
Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p
authtype=group
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling
nsswitch-gid_to_name
Jun 4 15:33:48
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
I ran into this issue last fall and have been running with a patched
libnfsidmap since November while our support case with Red Hat waits on a
resolution (pretty much have given up hope at this point). It's a trivial
patch and removes the assumption that only one @ can be present in a username.
With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and
EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled.
We have experienced zero issues with this patch applied. Without it, the AD
trust setup is a no-go in any sort of real environment since NFSv4 is broken.
If you'd like to reference our support case, it's #00983906. Patch is included
below.
/aron
From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001
From: Aron Parsons parso...@bit-sys.com
Date: Fri, 15 Nov 2013 14:43:10 -0500
Subject: [PATCH] account for usernames with @ in them
---
libnfsidmap/nss.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c
index 04aff19..f9ad4be 100644
--- a/libnfsidmap/nss.c
+++ b/libnfsidmap/nss.c
@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char
*domain)
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL domain != NULL)
goto out;
if (c == NULL domain == NULL) {
--
1.7.1
-
Hi,
First i wish to thank everybody that helped me out trying to solve this issue
and i also wish to inform that NFS 4 does not work with AD users through an AD
and IPA trust at the moment for RHEL 6 and 7.
The reason is that rpcidmapd` does not parse fully-qualified usernames
soadtest AD EXAMPLE o...@ipa.example.org does not work.
The client-side code is stripping the domain off based on the location of the
first @ character in the value returned by the server. This results in
UID/GID mappings failing and resulting in ownership on the clients of nobody.
Regards,
Johan
From: Dmitri Pal [dpal redhat com]
Sent: Thursday, June 05, 2014 21:03
To: Johan Petersson; Alexander Bokovoy
Cc: Sumit Bose; freeipa-users redhat com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 06/04/2014 09:57 AM, Johan Petersson wrote:
Yes the message is exactly like that with commas, I double checked.
To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to
Local-Realms in idmap.conf might help?
I did on all machines and got rid of that specific message but I still get
user nobody unfortunately.
Here are logs from when I did a su - adtest AD h...@linux.home with both
AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
Client:
Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0
Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value:
adtest ad h...@linux.home timeout 600
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
nsswitch-name_to_gid
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid:
nsswitch-name_to_gid returned -22
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value
is -22
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling
nsswitch-name_to_gid
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid:
nsswitch-name_to_gid returned 0
Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value
is 0
Do we have a corresponding SSSD trace that shows the actual process of
the resolution?
NFS Server:
Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p
authtype=user
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling
nsswitch-uid_to_name
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name:
nsswitch-uid_to_name returned 0
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value
is 0
Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 -
name adtest ad h...@linux.home
Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p
authtype=group
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling
nsswitch-gid_to_name
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name:
nsswitch-gid_to_name returned 0
Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value
is 0
Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 -
name ad_users linux home
The group ad_users is a IPA group with external maps from AD Domain users.
-Original Message-
From: Alexander Bokovoy [mailto:abokovoy redhat com]
Sent: Wednesday, June 04, 2014 3:14 PM
To: Johan Petersson
Cc: dpal redhat com; freeipa-users redhat com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Wed, 04 Jun 2014, Johan Petersson wrote:
Mail got posted before I was finished sorry.
I found one clue to the issue after increasing autofs logging to debug and
as i thought it has to do with id-mapping.
