Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7.
The reason is that rpcidmapd` does not parse fully-qualified usernames so"[email protected]@IPA.EXAMPLE.ORG" does not work. The client-side code is stripping the domain off based on the location of the first "@" character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of "nobody". Regards, Johan From: Dmitri Pal [[email protected]] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; [email protected] Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: > Yes the message is exactly like that with commas, I double checked. > > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to > Local-Realms in idmap.conf might help? > > I did on all machines and got rid of that specific message but I still get > user nobody unfortunately. > > Here are logs from when I did a su - [email protected]@linux.home with both > AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. > > Client: > Jun 4 15:30:13 client su: (to [email protected]) linux on pts/0 > Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: > [email protected]@linux.home timeout 600 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling > nsswitch->name_to_gid > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: > nsswitch->name_to_gid returned -22 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value > is -22 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling > nsswitch->name_to_gid > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: > nsswitch->name_to_gid returned 0 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value > is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? > > NFS Server: > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p > authtype=user > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling > nsswitch->uid_to_name > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: > nsswitch->uid_to_name returned 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value > is 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> > name "[email protected]@linux.home" > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p > authtype=group > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling > nsswitch->gid_to_name > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: > nsswitch->gid_to_name returned 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value > is 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> > name "[email protected]" > > The group ad_users is a IPA group with external maps from AD Domain users. > > -----Original Message----- > From: Alexander Bokovoy [mailto:[email protected]] > Sent: Wednesday, June 04, 2014 3:14 PM > To: Johan Petersson > Cc: [email protected]; [email protected] > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On Wed, 04 Jun 2014, Johan Petersson wrote: >> Mail got posted before I was finished sorry. >> >> I found one clue to the issue after increasing autofs logging to debug and >> as i thought it has to do with id-mapping. >> >> >From /var/log/messages: >> >> Nfsidmap[1696]: nss_getpwnam: name '[email protected]@linux.home,' does not map >> into domain 'linux.home,' > Are you sure the message is exactly like this, with a comma after linux.home? > > The reason I'm asking is because the code that prints the message looks like > this: > > localname = strip_domain(name, domain); > IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " > "resulting localname '%s'\n", name, domain, localname)); > if (localname == NULL) { > IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " > "into domain '%s'\n", name, > domain ? domain : "<not-provided>")); > goto err_free_buf; > } > > note that it doesn't have comma anywhere in the string printed. > > Can you please increase the log level to 4 so that we can see the first > string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it > would be > > [general] > Verbosity = 4 > > in /etc/idmapd.conf > > > >> >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Johan Petersson >> Sent: Wednesday, June 04, 2014 12:02 PM >> To: [email protected]; [email protected] >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. >> >> >> server.ad.home = AD Server >> share.linux.home = NFS Server >> ipa.linux.home = IPA Server >> client.linux.home = Client >> >> NFS with automounted krb5p Home Directories work for IPA users. >> >> sssd-1.11.2-65.el7.x86_64 >> >> id [email protected]<mailto:[email protected]> >> uid=497801107([email protected]<mailto:[email protected]>) >> gid=497801107([email protected]<mailto:[email protected]>) >> groups=497801107([email protected]),497800513(domain<mailto:[email protected] >> ),497800513(domain> [email protected]<mailto:[email protected]>) >> >> getent passwd [email protected]<mailto:[email protected]> >> [email protected]:*:497801107:497801107::/home/ad.home/adtest<mailto:[email protected]:*:497801107:497801107::/home/ad.home/adtest>: >> >> klist after kinit [email protected]<mailto:[email protected]> >> >> [root@client ~]# klist -e >> Ticket cache: KEYRING:persistent:0:0 >> Default principal: [email protected]<mailto:[email protected]> >> >> Valid starting Expires Service principal >> 06/04/14 11:28:35 06/04/14 21:28:35 >> krbtgt/[email protected]<mailto:krbtgt/[email protected]> >> renew until 06/05/14 11:28:30, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> >> klist after ssh >> [email protected]@ipa.linux.home<mailto:[email protected]@ipa.linux.home> >> >> klist >> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >> Default principal: [email protected]<mailto:[email protected]> >> >> Valid starting Expires Service principal >> 06/04/14 11:35:16 06/04/14 21:35:16 >> nfs/[email protected]<mailto:nfs/[email protected]> >> renew until 06/05/14 11:28:30 >> 06/04/14 11:35:16 06/04/14 21:35:16 >> krbtgt/[email protected]<mailto:krbtgt/[email protected]> >> renew until 06/05/14 11:28:30 >> 06/04/14 11:28:35 06/04/14 21:35:16 >> krbtgt/[email protected]<mailto:krbtgt/[email protected]> >> renew until 06/05/14 11:28:30 >> >> Home Directory gets mounted by autofs through sssd but user:group is both >> nobody. >> >> The Client's sssd.conf: >> >> [domain/linux.home] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linux.home >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = client.linux.home >> chpass_provider = ipa >> ipa_dyndns_update = True >> ipa_server = _srv_, ipa.linux.home >> ldap_tls_cacert = /etc/ipa/ca.crt >> autofs_provider = ipa >> ipa_automount_location = default >> subdomains_provider = ipa >> [sssd] >> services = nss, pam, autofs, ssh >> config_file_version = 2 >> >> domains = linux.home >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> >> From: >> [email protected]<mailto:[email protected] >> m> >> [mailto:[email protected]]<mailto:[mailto:freeipa-users- >> [email protected]]> On Behalf Of Dmitri Pal >> Sent: Tuesday, June 03, 2014 6:48 PM >> To: [email protected]<mailto:[email protected]> >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> On 06/03/2014 09:07 AM, Johan Petersson wrote: >> Hi, >> >> Environment: >> >> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 >> NFS Server RHEL 7 Client >> >> I have found one problem when using a NFS 4 shared Home Directory for AD >> users logging in to IPA. >> I have created a NFS share /home/adexample.org and use autofs map in IPA. >> All wbinfo tests works as well as id. >> I can login fine through SSH and Shell with >> [email protected]<mailto:[email protected]> >> The problem is that I can add the AD user as owner of his Home Directory and >> if I log in to the NFS Server locally or through ssh permissions are correct >> but when logging in to any other computer i get "nobody" as owner. >> Are those computers RHEL7 NFS clients with SSSD? >> Can you describe them in more details please? >> >> Groups are no problem since AD groups can be mapped to Posix groups. >> >> Idmap.conf domain is set to the IPA Domain. >> >> Is there some way to get NFS working with the AD user as owner of his Home >> Directory? >> >> Thanks for any help. >> >> >> This e-mail is private and confidential between the sender and the addressee. >> In the event of misdirection, the recipient is prohibited from using, >> copying or disseminating it or any information in it. Please notify the >> above if any misdirection. >> >> >> >> _______________________________________________ >> >> Freeipa-users mailing list >> >> [email protected]<mailto:[email protected]> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> >> Thank you, >> >> Dmitri Pal >> >> >> >> Sr. Engineering Manager IdM portfolio >> >> Red Hat, Inc. >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
