Hi All.

We have IPA setup in an AD trust to support our Linux fleet.  I’m running into 
a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an 
NFS-mounted filesystem from an NFS server using NFSv4/krb5.  Files and 
directories show up as ‘nobody’ or an incorrect numerical ID when listed with 
‘ls’.  RHEL7 clients seem to working fine with a very similar configuration (as 
far as I can tell).

The particulars are:

  - AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user 
identity is ‘user@localdomain’)
  - IPA domain is ‘ipa.localdomain’
  - The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to 
IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).

I have mounted the NFS volume on the clients with a simple:

  mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt

Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:

$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns

.. with these corresponding nfsidmap messages:

Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 
0x2c254c26 type: uid value: rns@localdomain@ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: 
nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: 
nss_getpwnam: name 'rns@localdomain@ipa.localdomain' domain 'ipa.localdomain': 
resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: 
nss_getpwnam: name 'rns@localdomain@ipa.localdomain' does not map into domain 
'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: 
nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: 
nfs4_name_to_uid: final return value is -22

.. whereas on the RHEL7 client, I see:

$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns

Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 
type: uid value: rns@localdomain@ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: 
nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: 
name 'rns@localdomain@ipa.localdomain' domain 'ipa.localdomain': resulting 
localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: 
nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: 
nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 
type: gid value: rns@localdomain@ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: 
nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: 
nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: 
nfs4_name_to_gid: final return value is 0

Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into 
‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?

(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can 
login and use local filesystems without issue).

The idmapd.conf looks like this:

[General]

Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs

Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = nsswitch

Any pointers appreciated!

Regards,

Robert.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to