On 03-11-2023 08:58, Kees Bakker via FreeIPA-users wrote:
Hi,
Perhaps a cryptic subject. Let me explain what the problem is.
For a long time we had a working NFS4 configuration. Server is a
CentOS 9 Stream system
deployed as a host in IPA. Clients are mostly Ubuntu 20 systems.
Automount is in place
and working.
Two weeks ago we had to power off the server and bring it back up.
Since then the
idmap-ing isn't working anymore. What we see is that ls -l shows files
owned by
nobody:nogroup. If I create a file in that mounted directory then on
the server I can
see that it has the correct uid:gid.
In syslog we see lines like this one
nov 03 08:37:28 winkel nfsidmap[135850]: nss_name_to_gid: name
'keesb@localdomain' does not map into domain 'example.com'
localdomain is obviously not correct. But where does that come from?
Does it come from the NFS server?
Is it constructed on the NFS client? I have no idea where to look. All
Kerberos things seem to be in place.
In the mean time on the NFS client I have added Domain in the
[General] section in /etc/idmap.conf, like so
[General]
# set your own domain here, if it differs from the FQDN minus hostname
# Domain = localdomain
Domain = example.com
It was not needed before, but hey. Nevertheless, that didn't help. I
even rebooted this NFS client.
A follow up.
We also have a TrueNAS system with NFS. If I mount a from there the
idmap is correct. That makes me draw the
conclusion that the CentOS NFS server is at fault.
So I started looking on the NFS server. I decided to look at the verbose
output of rpc.idmapd. And you know what?
After restarting it simply worked.
So, maybe there is a timing issue when the machine is restarted. BTW. we
also did a restart of the IPA servers at the
same time. Somehow rpc.idmapd failed to get its domainname and it fell
back to localdomain.
Anyway, thanks for listening :-) I hope someone else finds this useful
someday.
BTW. rpc.idmapd is also looking at the _nfsv4idmapdomain text record,
see [1]. That record does not exist. Maybe
I'll add it. Oh, and maybe that could have been added during IPA server
install.
[1] https://man7.org/linux/man-pages/man8/idmapd.8.html
--
Kees
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
