On Wed, Jun 04, 2014 at 12:24:11PM +0000, Johan Petersson wrote: > Mail got posted before I was finished sorry. > > I found one clue to the issue after increasing autofs logging to debug and as > i thought it has to do with id-mapping. > > >From /var/log/messages: > > Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map > into domain 'linux.home,'
Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I'll check the nfsidmap code to see how/if it can handle trusted domains. bye, Sumit > > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson > Sent: Wednesday, June 04, 2014 12:02 PM > To: d...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > > > server.ad.home = AD Server > share.linux.home = NFS Server > ipa.linux.home = IPA Server > client.linux.home = Client > > NFS with automounted krb5p Home Directories work for IPA users. > > sssd-1.11.2-65.el7.x86_64 > > id adt...@ad.home<mailto:adt...@ad.home> > uid=497801107(adt...@ad.home<mailto:adt...@ad.home>) > gid=497801107(adt...@ad.home<mailto:adt...@ad.home>) > groups=497801107(adt...@ad.home),497800513(domain<mailto:adt...@ad.home),497800513(domain> > us...@ad.home<mailto:us...@ad.home>) > > getent passwd adt...@ad.home<mailto:adt...@ad.home> > adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest>: > > klist after kinit adt...@ad.home<mailto:adt...@ad.home> > > [root@client ~]# klist -e > Ticket cache: KEYRING:persistent:0:0 > Default principal: adt...@ad.home<mailto:adt...@ad.home> > > Valid starting Expires Service principal > 06/04/14 11:28:35 06/04/14 21:28:35 > krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home> > renew until 06/05/14 11:28:30, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > klist after ssh > adt...@ad.home@ipa.linux.home<mailto:adt...@ad.home@ipa.linux.home> > > klist > Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB > Default principal: adt...@ad.home<mailto:adt...@ad.home> > > Valid starting Expires Service principal > 06/04/14 11:35:16 06/04/14 21:35:16 > nfs/share.linux.h...@linux.home<mailto:nfs/share.linux.h...@linux.home> > renew until 06/05/14 11:28:30 > 06/04/14 11:35:16 06/04/14 21:35:16 > krbtgt/linux.h...@ad.home<mailto:krbtgt/linux.h...@ad.home> > renew until 06/05/14 11:28:30 > 06/04/14 11:28:35 06/04/14 21:35:16 > krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home> > renew until 06/05/14 11:28:30 > > Home Directory gets mounted by autofs through sssd but user:group is both > nobody. > > The Client's sssd.conf: > > [domain/linux.home] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linux.home > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = client.linux.home > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, ipa.linux.home > ldap_tls_cacert = /etc/ipa/ca.crt > autofs_provider = ipa > ipa_automount_location = default > subdomains_provider = ipa > [sssd] > services = nss, pam, autofs, ssh > config_file_version = 2 > > domains = linux.home > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > From: > freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com]<mailto:[mailto:freeipa-users-boun...@redhat.com]> > On Behalf Of Dmitri Pal > Sent: Tuesday, June 03, 2014 6:48 PM > To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On 06/03/2014 09:07 AM, Johan Petersson wrote: > Hi, > > Environment: > > RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD > RHEL 7 NFS Server > RHEL 7 Client > > I have found one problem when using a NFS 4 shared Home Directory for AD > users logging in to IPA. > I have created a NFS share /home/adexample.org and use autofs map in IPA. > All wbinfo tests works as well as id. > I can login fine through SSH and Shell with > adt...@adexample.org<mailto:adt...@adexample.org> > The problem is that I can add the AD user as owner of his Home Directory and > if I log in to the NFS Server locally or through ssh permissions are correct > but when logging in to any other computer i get "nobody" as owner. > Are those computers RHEL7 NFS clients with SSSD? > Can you describe them in more details please? > > Groups are no problem since AD groups can be mapped to Posix groups. > > Idmap.conf domain is set to the IPA Domain. > > Is there some way to get NFS working with the AD user as owner of his Home > Directory? > > Thanks for any help. > > > This e-mail is private and confidential between the sender and the addressee. > In the event of misdirection, the recipient is prohibited from using, copying > or > disseminating it or any information in it. Please notify the above if any > misdirection. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users