Yes the message is exactly like that with commas, I double checked.

To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
Local-Realms in idmap.conf might help?

I did on all machines and got rid of that specific message but I still get user 
nobody unfortunately.

Here are logs from when I did a su - adt...@ad.home@linux.home with both 
AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.

Client:
Jun  4 15:30:13 client su: (to adt...@ad.home) linux on pts/0
Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
adt...@ad.home@linux.home timeout 600
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
nsswitch->name_to_gid
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid 
returned -22
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 
-22
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
nsswitch->name_to_gid
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid 
returned 0
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0

NFS Server:
Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
nsswitch->uid_to_name
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name 
returned 0
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0
Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name 
"adt...@ad.home@linux.home"
Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
nsswitch->gid_to_name
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name 
returned 0
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0
Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> 
name "ad_us...@linux.home"

The group ad_users is a IPA group with external maps from AD Domain users.

-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Wednesday, June 04, 2014 3:14 PM
To: Johan Petersson
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Wed, 04 Jun 2014, Johan Petersson wrote:
>Mail got posted before I was finished sorry.
>
>I found one clue to the issue after increasing autofs logging to debug and as 
>i thought it has to do with id-mapping.
>
>>From /var/log/messages:
>
>Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
>into domain 'linux.home,'
Are you sure the message is exactly like this, with a comma after linux.home?

The reason I'm asking is because the code that prints the message looks like 
this:

        localname = strip_domain(name, domain);
        IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "
                  "resulting localname '%s'\n", name, domain, localname));
        if (localname == NULL) {
                IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "
                        "into domain '%s'\n", name,
                        domain ? domain : "<not-provided>"));
                goto err_free_buf;
        }

note that it doesn't have comma anywhere in the string printed.

Can you please increase the log level to 4 so that we can see the first string 
(nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be

[general]
  Verbosity = 4

in /etc/idmapd.conf



>
>
>From: freeipa-users-boun...@redhat.com 
>[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
>Sent: Wednesday, June 04, 2014 12:02 PM
>To: d...@redhat.com; freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
>Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
>
>
>server.ad.home = AD Server
>share.linux.home = NFS Server
>ipa.linux.home = IPA Server
>client.linux.home = Client
>
>NFS with automounted krb5p Home Directories work for IPA users.
>
>sssd-1.11.2-65.el7.x86_64
>
>id adt...@ad.home<mailto:adt...@ad.home>
>uid=497801107(adt...@ad.home<mailto:adt...@ad.home>) 
>gid=497801107(adt...@ad.home<mailto:adt...@ad.home>) 
>groups=497801107(adt...@ad.home),497800513(domain<mailto:adt...@ad.home
>),497800513(domain> us...@ad.home<mailto:us...@ad.home>)
>
>getent passwd adt...@ad.home<mailto:adt...@ad.home>
>adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest>:
>
>klist after kinit adt...@ad.home<mailto:adt...@ad.home>
>
>[root@client ~]# klist -e
>Ticket cache: KEYRING:persistent:0:0
>Default principal: adt...@ad.home<mailto:adt...@ad.home>
>
>Valid starting     Expires            Service principal
>06/04/14 11:28:35  06/04/14 21:28:35  
>krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home>
>         renew until 06/05/14 11:28:30, Etype (skey, tkt): 
>aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>klist after ssh 
>adt...@ad.home@ipa.linux.home<mailto:adt...@ad.home@ipa.linux.home>
>
>klist
>Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
>Default principal: adt...@ad.home<mailto:adt...@ad.home>
>
>Valid starting     Expires            Service principal
>06/04/14 11:35:16  06/04/14 21:35:16 
>nfs/share.linux.h...@linux.home<mailto:nfs/share.linux.h...@linux.home>
>         renew until 06/05/14 11:28:30
>06/04/14 11:35:16  06/04/14 21:35:16  
>krbtgt/linux.h...@ad.home<mailto:krbtgt/linux.h...@ad.home>
>         renew until 06/05/14 11:28:30
>06/04/14 11:28:35  06/04/14 21:35:16  
>krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home>
>         renew until 06/05/14 11:28:30
>
>Home Directory gets mounted by autofs through sssd but user:group is both 
>nobody.
>
>The Client's sssd.conf:
>
>[domain/linux.home]
>
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = linux.home
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = client.linux.home
>chpass_provider = ipa
>ipa_dyndns_update = True
>ipa_server = _srv_, ipa.linux.home
>ldap_tls_cacert = /etc/ipa/ca.crt
>autofs_provider = ipa
>ipa_automount_location = default
>subdomains_provider = ipa
>[sssd]
>services = nss, pam, autofs, ssh
>config_file_version = 2
>
>domains = linux.home
>[nss]
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>
>From: 
>freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.co
>m> 
>[mailto:freeipa-users-boun...@redhat.com]<mailto:[mailto:freeipa-users-
>boun...@redhat.com]> On Behalf Of Dmitri Pal
>Sent: Tuesday, June 03, 2014 6:48 PM
>To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
>On 06/03/2014 09:07 AM, Johan Petersson wrote:
>Hi,
>
>Environment:
>
>RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 
>NFS Server RHEL 7 Client
>
>I have found one problem when using a NFS 4 shared Home Directory for AD users 
>logging in to IPA.
>I have created a NFS share /home/adexample.org and use autofs map in IPA.
>All wbinfo tests works as well as id.
>I can login fine through SSH and Shell with 
>adt...@adexample.org<mailto:adt...@adexample.org>
>The problem is that I can add the AD user as owner of his Home Directory and 
>if I log in to the NFS Server locally or through ssh permissions are correct 
>but when logging in to any other computer i get "nobody" as owner.
>Are those computers RHEL7 NFS clients with SSSD?
>Can you describe them in more details please?
>
>Groups are no problem since AD groups can be mapped to Posix groups.
>
>Idmap.conf domain is set to the IPA Domain.
>
>Is there some way to get NFS working with the AD user as owner of his Home 
>Directory?
>
>Thanks for any help.
>
>
>This e-mail is private and confidential between the sender and the addressee.
>In the event of misdirection, the recipient is prohibited from using, 
>copying or disseminating it or any information in it. Please notify the above 
>if any misdirection.
>
>
>
>_______________________________________________
>
>Freeipa-users mailing list
>
>Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>--
>
>Thank you,
>
>Dmitri Pal
>
>
>
>Sr. Engineering Manager IdM portfolio
>
>Red Hat, Inc.

>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to