Re: [Freeipa-users] NFS Automount Domain Homedirs
On Wed, 30 Sep 2015, Sadettin Albasan wrote: Here is a list of installed sssd packages: sssd-client-1.12.4-47.el6.x86_64 sssd-common-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 python-sssdconfig-1.12.4-47.el6.noarch sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-tools-1.12.4-47.el6.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 Thanks. My apologies, we checked with Sumit and apparently, SSSD in RHEL 6.7 was built without support for NFS idmap module. Can you check if using CentOS 7 client and server for NFS would work? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] NFS Automount Domain Homedirs
Here is a list of installed sssd packages: sssd-client-1.12.4-47.el6.x86_64 sssd-common-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 python-sssdconfig-1.12.4-47.el6.noarch sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-tools-1.12.4-47.el6.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 On 30 September 2015 at 13:18, Sadettin Albasan wrote: > I get this error when putting sss into method even after upgrading my > systems to centos 6.7 > > Shutting down NFS daemon: [ OK ] > Shutting down NFS mountd: [ OK ] > Shutting down NFS services:[ OK ] > Shutting down RPC svcgssd: [ OK ] > Shutting down RPC idmapd: [ OK ] > Starting RPC svcgssd: [ OK ] > Starting NFS services: [ OK ] > Starting NFS mountd: [ OK ] > Starting NFS daemon: [ OK ] > Starting RPC idmapd: rpc.idmapd: libnfsidmap: requested translation > method, 'sss', is not available > > rpc.idmapd: Unable to create name to user id mappings. >[FAILED] > > > On 30 September 2015 at 09:46, Alexander Bokovoy > wrote: > >> On Wed, 30 Sep 2015, Sadettin Albasan wrote: >> >>> *idmap.conf for NFS Server:* >>> >>> >>> [General] >>> #Verbosity = 0 >>> # The following should be set to the local NFSv4 domain name >>> # The default is the host's DNS domain name. >>> #Domain = local.domain.edu >>> >>> # The following is a comma-separated list of Kerberos realm >>> # names that should be considered to be equivalent to the >>> # local realm, such that @REALM.A can be assumed to >>> # be the same user as @REALM.B >>> # If not specified, the default local realm is the domain name, >>> # which defaults to the host's DNS domain name, >>> # translated to upper-case. >>> # Note that if this value is specified, the local realm name >>> # must be included in the list! >>> #Local-Realms = >>> >>> [Mapping] >>> >>> Nobody-User = nobody >>> Nobody-Group = nobody >>> >>> [Translation] >>> >>> # Translation Method is an comma-separated, ordered list of >>> # translation methods that can be used. Distributed methods >>> # include "nsswitch", "umich_ldap", and "static". Each method >>> # is a dynamically loadable plugin library. >>> # New methods may be defined and inserted in the list. >>> # The default is "nsswitch". >>> Method = nsswitch >>> >> Use Method = sss >> >> The module for this method is part of sssd-common RPM package. >> >> *idmap.conf for client:* >>> >>> >>> [General] >>> #Verbosity = 0 >>> # The following should be set to the local NFSv4 domain name >>> # The default is the host's DNS domain name. >>> #Domain = local.domain.edu >>> >>> # The following is a comma-separated list of Kerberos realm >>> # names that should be considered to be equivalent to the >>> # local realm, such that @REALM.A can be assumed to >>> # be the same user as @REALM.B >>> # If not specified, the default local realm is the domain name, >>> # which defaults to the host's DNS domain name, >>> # translated to upper-case. >>> # Note that if this value is specified, the local realm name >>> # must be included in the list! >>> #Local-Realms = >>> >>> [Mapping] >>> >>> Nobody-User = nobody >>> Nobody-Group = nobody >>> >>> [Translation] >>> >>> # Translation Method is an comma-separated, ordered list of >>> # translation methods that can be used. Distributed methods >>> # include "nsswitch", "umich_ldap", and "static". Each method >>> # is a dynamically loadable plugin library. >>> # New methods may be defined and inserted in the list. >>> # The default is "nsswitch". >>> Method = nsswitch >>> >> Same here. >> >> -- >> / Alexander Bokovoy >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] NFS Automount Domain Homedirs
On Wed, 30 Sep 2015, Sadettin Albasan wrote: *idmap.conf for NFS Server:* [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that @REALM.A can be assumed to # be the same user as @REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch Use Method = sss The module for this method is part of sssd-common RPM package. *idmap.conf for client:* [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that @REALM.A can be assumed to # be the same user as @REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch Same here. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] NFS Automount Domain Homedirs
*idmap.conf for NFS Server:* [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that @REALM.A can be assumed to # be the same user as @REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = #---# # The following are used only for the "static" Translation Method. #---# #[Static] # A "static" list of GSS-Authenticated names to # local user name mappings #someuser@REALM = localuser #---# # The following are used only for the "umich_ldap" Translation Method. #---# #[UMICH_SCHEMA] # server information (REQUIRED) #LDAP_server = ldap-server.local.domain.edu # the default search base (REQUIRED) #LDAP_base = dc=local,dc=domain,dc=edu #---# # The remaining options have defaults (as shown) # and are therefore not required. #---# # whether or not to perform canonicalization on the # name given as LDAP_server #LDAP_canonicalize_name = true # absolute search base for (people) accounts #LDAP_people_base = # absolute search base for groups #LDAP_group_base = # Set to true to enable SSL - anything else is not enabled #LDAP_use_ssl = false # You must specify a CA certificate location if you enable SSL #LDAP_ca_cert = /etc/ldapca.cert # Objectclass mapping information # Mapping for the person (account) object class #NFSv4_person_objectclass = NFSv4RemotePerson # Mapping for the nfsv4name attribute the person object #NFSv4_name_attr = NFSv4Name # Mapping for the UID number #NFSv4_uid_attr = UIDNumber # Mapping for the GSSAPI Principal name #GSS_principal_attr = GSSAuthName # Mapping for the account name attribute (usually uid) # The value for this attribute must match the value of # the group member attribute - NFSv4_member_attr #NFSv4_acctname_attr = uid # Mapping for the group object class #NFSv4_group_objectclass = NFSv4RemoteGroup # Mapping for the GID attribute #NFSv4_gid_attr = GIDNumber # Mapping for the Group NFSv4 name #NFSv4_group_attr = NFSv4Name # Mapping for the Group member attribute (usually memberUID) # The value of this attribute must match the value of NFSv4_acctname_attr #NFSv4_member_attr = memberUID *idmap.conf for client:* [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that @REALM.A can be assumed to # be the same user as @REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = #---# # The following are used only for the "static" Translation Method. #
Re: [Freeipa-users] NFS Automount Domain Homedirs
On Wed, 30 Sep 2015, Sadettin Albasan wrote: Hi Alexander, Currently; FreeIPA 7.1 (Centos) Client 6.6 (Centos) NFS 6.6 (Centos) + Samba 3.6 I have also samba file sharing running on NFS server which shares home directories to windows users as well. So NFS server is joined to windows domain as well as FreeIPA domain. CentOS 6.6 should have nfsidmap fixes needed to support AD users via IPA-AD trust. However, I don't see your configuration for nfs idmap.conf on both client and NFS server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] NFS Automount Domain Homedirs
Hi Alexander, Currently; FreeIPA 7.1 (Centos) Client 6.6 (Centos) NFS 6.6 (Centos) + Samba 3.6 I have also samba file sharing running on NFS server which shares home directories to windows users as well. So NFS server is joined to windows domain as well as FreeIPA domain. *FreeIPA Server Automount Conf:* /etc/auto.master: /-/etc/auto.direct /home/etc/auto.home --- /etc/auto.direct: --- /etc/auto.home: *-rw,no_subtree_check,crossmnt,sec=krb5i itifs01.itiad.my.ca: /samba/homes/& maps not connected to /etc/auto.master: *NFS Server Krb5.conf:* includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FREEIPA.MY.CA dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] FREEIPA.MY.CA = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .FREEIPA.MY.CA = FREEIPA.MY.CA FREEIPA.MY.CA = FREEIPA.MY.CA .itiad.my.ca = FREEIPA.MY.CA itiad.my.ca = FREEIPA.MY.CA *NFS Server sssd.conf:* cache_credentials = True krb5_store_password_if_offline = True ipa_domain = FREEIPA.my.CA id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = itifs01.itiad.my.ca chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, server.freeipa.my.ca dns_discovery_domain = FREEIPA.my.CA [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = FREEIPA.MY.CA [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] *Client Krb5.conf:* includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FREEIPA.MY.CA dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] FREEIPA.MY.CA = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .freeipa.my.ca = FREEIPA.MY.CA freeipa.my.ca = FREEIPA.MY.CA *Client SSSD.conf:* cache_credentials = True krb5_store_password_if_offline = True ipa_domain = freeipa.my.ca id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client2.freeipa.my.ca chpass_provider = ipa ipa_server = _srv_, server.freeipa.my.ca ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default [sssd] default_domain_suffix = itiad.my.ca services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = freeipa.my.ca [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Thanks, On 29 September 2015 at 10:47, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, Sadettin Albasan wrote: > >> I have a freeipa server and a trust relation with AD domain with almost >> everything working the way I planned except automounting NFS home >> directories for domain users. I have been reading about this on the net >> for >> almost a week, ended up trying a lot of different configurations, but I >> had >> no success to it. The closest I came to was removing krb5 authentication >> from the export and mount options. it is only then able to mount the >> directories. Since I have not seen any official guidelines about it, is >> this in works or any plan to implement? Thanks. >> > As usual, more details are required about server and client > configuration/software in order to even guess your problems. > > What provides NFS storage? What is used on the client machines? How > identity mapping is configured. Give examples of your configuration. > > There are some issues in NFS identity mapping code that were fixed > relatively recently and which prevented use of POSIX users with '@' in > the name, for example. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] NFS Automount Domain Homedirs
On Tue, 29 Sep 2015, Sadettin Albasan wrote: I have a freeipa server and a trust relation with AD domain with almost everything working the way I planned except automounting NFS home directories for domain users. I have been reading about this on the net for almost a week, ended up trying a lot of different configurations, but I had no success to it. The closest I came to was removing krb5 authentication from the export and mount options. it is only then able to mount the directories. Since I have not seen any official guidelines about it, is this in works or any plan to implement? Thanks. As usual, more details are required about server and client configuration/software in order to even guess your problems. What provides NFS storage? What is used on the client machines? How identity mapping is configured. Give examples of your configuration. There are some issues in NFS identity mapping code that were fixed relatively recently and which prevented use of POSIX users with '@' in the name, for example. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] NFS Automount Domain Homedirs
I have a freeipa server and a trust relation with AD domain with almost everything working the way I planned except automounting NFS home directories for domain users. I have been reading about this on the net for almost a week, ended up trying a lot of different configurations, but I had no success to it. The closest I came to was removing krb5 authentication from the export and mount options. it is only then able to mount the directories. Since I have not seen any official guidelines about it, is this in works or any plan to implement? Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project