[15/Mar/2018:23:13:06.547419820 -0400] conn=69199 op=1 UNBIND
[15/Mar/2018:23:13:06.547446724 -0400] conn=69199 op=1 fd=264 closed
- U1
[15/Mar/2018:23:13:06.550193388 -0400] conn=69200 fd=265 slot=265
connection from 192.168.0.236 to 192.168.0.44
[15/Mar/2018:23:13:06.550580770 -0400] conn=69200 op=0 SRCH
base="DC=NIX,DC=MY,DC=DOM" scope=2
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=nob...@nix.my.dom))"
attrs="uidNumber gidNumber"
[15/Mar/2018:23:13:06.550933518 -0400] conn=69200 op=0 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.551220517 -0400] conn=69200 op=1 UNBIND
[15/Mar/2018:23:13:06.551284941 -0400] conn=69200 op=1 fd=265 closed
- U1
[15/Mar/2018:23:13:06.580266816 -0400] conn=69191 op=8 SRCH
base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL
[15/Mar/2018:23:13:06.580664050 -0400] conn=69191 op=8 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.581138601 -0400] conn=69191 op=9 EXT
oid="2.16.840.1.113730.3.8.10.4.1" name="IPA trusted domain ID mapper"
[15/Mar/2018:23:13:06.585652291 -0400] conn=69180 op=5 SRCH
base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL
[15/Mar/2018:23:13:06.585897291 -0400] conn=69180 op=5 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.610226668 -0400] conn=9 op=99467 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my....@nix.my.dom)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.611043926 -0400] conn=9 op=99467 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.611343977 -0400] conn=9 op=99468 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.611511419 -0400] conn=9 op=99468 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.611781846 -0400] conn=9 op=99469 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/nix.my....@nix.my.dom)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.612369061 -0400] conn=9 op=99469 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.612710359 -0400] conn=9 op=99470 SRCH
base="cn=Default Host Password
Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"
[15/Mar/2018:23:13:06.612874801 -0400] conn=9 op=99470 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.614845128 -0400] conn=8 op=338424 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my....@nix.my.dom)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.615299624 -0400] conn=8 op=338424 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.615585618 -0400] conn=8 op=338425 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.615741765 -0400] conn=8 op=338425 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.616016867 -0400] conn=8 op=338426 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/nix.my....@nix.my.dom)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.616474488 -0400] conn=8 op=338426 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.616734155 -0400] conn=8 op=338427 SRCH
base="cn=Default Host Password
Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"
[15/Mar/2018:23:13:06.616891114 -0400] conn=8 op=338427 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.617275452 -0400] conn=8 op=338428 SRCH
base="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom"
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"
[15/Mar/2018:23:13:06.619766808 -0400] conn=8 op=338428 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.619940264 -0400] conn=8 op=338429 SRCH
base="cn=idmipa01.nix.my.dom,cn=masters,cn=ipa,cn=etc,dc=nix,dc=my,dc=dom"
scope=0 filter="(objectClass=*)" attrs=ALL
[15/Mar/2018:23:13:06.620166400 -0400] conn=8 op=338429 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.620841171 -0400] conn=8 op=338430 MOD
dn="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom"
[15/Mar/2018:23:13:06.627304715 -0400] conn=8 op=338430 RESULT err=0
tag=103 nentries=0 etime=0 csn=5aab36ca000000040000
[15/Mar/2018:23:13:06.635192361 -0400] conn=9 op=99471 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/nix.my....@nix.my.dom)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.635734053 -0400] conn=9 op=99471 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.636355108 -0400] conn=9 op=99472 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/my....@nix.my.dom)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.636934738 -0400] conn=9 op=99472 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.637192683 -0400] conn=9 op=99473 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.637329793 -0400] conn=9 op=99473 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.637651311 -0400] conn=9 op=99474 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/idmipa01.nix.my....@nix.my.dom))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.638056445 -0400] conn=9 op=99474 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.638324542 -0400] conn=9 op=99475 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.638461582 -0400] conn=9 op=99475 RESULT err=0
tag=101 nentries=1 etime=0
Cheers,
Tom
[General]
Verbosity = 9
Domain = nix.my.dom
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = idmipa01.nix.my.dom
LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM
LDAP_people_base = DC=NIX,DC=MY,DC=DOM
LDAP_group_base = DC=NIX,DC=MY,DC=DOM
The people basedn should probably be cn=users,cn=accounts,... and
the
group base cn=groups,cn=accounts,... Unles it cleverly smashes that
together with LDAP_base, I'm not sure what it does. The 389-ds
access
logs will tell you if it is trying at all (note the logs are
write-buffered so you won't see immediate updates).
If you have compat enabled then idmapd may be getting multiple
entries,
one from cn=compat and one from the main tree and that could be
confusing it.
No difference. Even the IP defined users are having this issue.
However, and this may be a very dumb question, but you raised 389-ds
logs. I'm using IPA Server, not 389-ds unless you're implying I may
need packages? The IPA servers come with 389-ds-base installed
but do I
need this or something else on the IPA clients as well?
In the existing IPA logs, no other log entries corrolate with the
nfsidmapd messages on the client.
Method = umich_ldap,nsswitch,static
GSS-Methods = umich_ldap,nsswitch,static
However it still lists:
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
user_dn : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
passwd : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
use_ssl : no
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
ca_cert : <not-supplied>
and I'm not sure what variables idmapd.conf uses for password and
user.
Still, I've left the LAB KDC open so no users and passes are
needed for
simple lookups.
After setting the above, the messages in the logs changed slightly:
Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user
tomk.
Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind:
version
mismatch between API information and protocol version. Setting
protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' domain 'nix.my.dom': resulting localname '(null)'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' does not map into domain 'nix.my.dom'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind:
version
mismatch between API information and protocol version. Setting
protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind:
version
mismatch between API information and protocol version. Setting
protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind:
version
mismatch between API information and protocol version. Setting
protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is 0
(Port 389 between client and server are open.) Seems like the line:
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
might be to blame. It's the first line that shows localdomain,
but it
should not. My hosts file:
[root@ipaclient01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.0.236 ipaclient01.nix.my.dom ipaclient01
[root@ipaclient01 ~]#
Guessing key get's it's info from /etc/hosts directly and I should
look
at that?
Cheers,
Tom
rob
Cheers,
Tom
TomK via FreeIPA-users wrote:
Hey Guy's,
Getting below message which in turn fails to list proper UID /
GID on
NFSv4 mounts from within an unprivileged account. All files
show up
with
owner and group as nobody / nobody when viewed from the client.
Is there a way to structure /etc/idmapd.conf to allow for proper
UID /
GID resolution? Or perhaps another solution?
[root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e
"/^$/d"
[General]
Verbosity = 7
Domain = nix.my.dom
[Mapping]
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
[root@client01 etc]#
Mount looks like this:
nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80)
/var/log/messages
Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b
type: uid
value: t...@my.dom@localdomain timeout 600
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
calling
nsswitch->name_to_uid
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
't...@my.dom@localdomain' domain 'nix.my.dom': resulting localname
'(null)'
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
't...@my.dom@localdomain' does not map into domain 'nix.my.dom'
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final
return
value is -22
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
calling
nsswitch->name_to_uid
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname
'nobody'
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final
return
value is 0
Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048
type: gid
value: t...@my.dom@localdomain timeout 600
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
calling
nsswitch->name_to_gid
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final
return
value is -22
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
calling
nsswitch->name_to_gid
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final
return
value is 0
Mar 6 00:17:31 client01 systemd-logind: Removed session 23.
Result of:
systemctl restart rpcidmapd
/var/log/messages
-------------------
Mar 5 23:46:12 client01 systemd: Stopping Automounts
filesystems on
demand...
Mar 5 23:46:13 client01 systemd: Stopped Automounts
filesystems on
demand.
Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping
service...
Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS
configuration...
Mar 5 23:48:51 client01 systemd: Started Preprocess NFS
configuration.
Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping
service...
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using
domain:
nix.my.dom
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms
list:
'NIX.MY.DOM'
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap:
using
domain: nix.my.dom
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap:
Realms
list: 'NIX.MY.DOM'
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap:
loaded
plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded
plugin
/lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is
600
seconds.
Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping
service.
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.nametoid/channel
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.idtoname/channel
You might be able to correlate that to the 389-ds access log to
see
what
queries are being executed.
You probably need to set LDAP_people_base and LDAP_group_base as
well.
I think ipa-client-automount only sets the Domain value and
doesn't
configure the ldap section at all.
rob
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
sssd-users-le...@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
sssd-users-le...@lists.fedorahosted.org