Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help?
I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - [email protected]@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to [email protected]) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: [email protected]@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "[email protected]@linux.home" Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "[email protected]" The group ad_users is a IPA group with external maps from AD Domain users. -----Original Message----- From: Alexander Bokovoy [mailto:[email protected]] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: [email protected]; [email protected] Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: >Mail got posted before I was finished sorry. > >I found one clue to the issue after increasing autofs logging to debug and as >i thought it has to do with id-mapping. > >>From /var/log/messages: > >Nfsidmap[1696]: nss_getpwnam: name '[email protected]@linux.home,' does not map >into domain 'linux.home,' Are you sure the message is exactly like this, with a comma after linux.home? The reason I'm asking is because the code that prints the message looks like this: localname = strip_domain(name, domain); IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " "resulting localname '%s'\n", name, domain, localname)); if (localname == NULL) { IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " "into domain '%s'\n", name, domain ? domain : "<not-provided>")); goto err_free_buf; } note that it doesn't have comma anywhere in the string printed. Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf > > >From: [email protected] >[mailto:[email protected]] On Behalf Of Johan Petersson >Sent: Wednesday, June 04, 2014 12:02 PM >To: [email protected]; [email protected] >Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > > >server.ad.home = AD Server >share.linux.home = NFS Server >ipa.linux.home = IPA Server >client.linux.home = Client > >NFS with automounted krb5p Home Directories work for IPA users. > >sssd-1.11.2-65.el7.x86_64 > >id [email protected]<mailto:[email protected]> >uid=497801107([email protected]<mailto:[email protected]>) >gid=497801107([email protected]<mailto:[email protected]>) >groups=497801107([email protected]),497800513(domain<mailto:[email protected] >),497800513(domain> [email protected]<mailto:[email protected]>) > >getent passwd [email protected]<mailto:[email protected]> >[email protected]:*:497801107:497801107::/home/ad.home/adtest<mailto:[email protected]:*:497801107:497801107::/home/ad.home/adtest>: > >klist after kinit [email protected]<mailto:[email protected]> > >[root@client ~]# klist -e >Ticket cache: KEYRING:persistent:0:0 >Default principal: [email protected]<mailto:[email protected]> > >Valid starting Expires Service principal >06/04/14 11:28:35 06/04/14 21:28:35 >krbtgt/[email protected]<mailto:krbtgt/[email protected]> > renew until 06/05/14 11:28:30, Etype (skey, tkt): >aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >klist after ssh >[email protected]@ipa.linux.home<mailto:[email protected]@ipa.linux.home> > >klist >Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >Default principal: [email protected]<mailto:[email protected]> > >Valid starting Expires Service principal >06/04/14 11:35:16 06/04/14 21:35:16 >nfs/[email protected]<mailto:nfs/[email protected]> > renew until 06/05/14 11:28:30 >06/04/14 11:35:16 06/04/14 21:35:16 >krbtgt/[email protected]<mailto:krbtgt/[email protected]> > renew until 06/05/14 11:28:30 >06/04/14 11:28:35 06/04/14 21:35:16 >krbtgt/[email protected]<mailto:krbtgt/[email protected]> > renew until 06/05/14 11:28:30 > >Home Directory gets mounted by autofs through sssd but user:group is both >nobody. > >The Client's sssd.conf: > >[domain/linux.home] > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = linux.home >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = client.linux.home >chpass_provider = ipa >ipa_dyndns_update = True >ipa_server = _srv_, ipa.linux.home >ldap_tls_cacert = /etc/ipa/ca.crt >autofs_provider = ipa >ipa_automount_location = default >subdomains_provider = ipa >[sssd] >services = nss, pam, autofs, ssh >config_file_version = 2 > >domains = linux.home >[nss] > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > > >From: >[email protected]<mailto:[email protected] >m> >[mailto:[email protected]]<mailto:[mailto:freeipa-users- >[email protected]]> On Behalf Of Dmitri Pal >Sent: Tuesday, June 03, 2014 6:48 PM >To: [email protected]<mailto:[email protected]> >Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >On 06/03/2014 09:07 AM, Johan Petersson wrote: >Hi, > >Environment: > >RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 >NFS Server RHEL 7 Client > >I have found one problem when using a NFS 4 shared Home Directory for AD users >logging in to IPA. >I have created a NFS share /home/adexample.org and use autofs map in IPA. >All wbinfo tests works as well as id. >I can login fine through SSH and Shell with >[email protected]<mailto:[email protected]> >The problem is that I can add the AD user as owner of his Home Directory and >if I log in to the NFS Server locally or through ssh permissions are correct >but when logging in to any other computer i get "nobody" as owner. >Are those computers RHEL7 NFS clients with SSSD? >Can you describe them in more details please? > >Groups are no problem since AD groups can be mapped to Posix groups. > >Idmap.conf domain is set to the IPA Domain. > >Is there some way to get NFS working with the AD user as owner of his Home >Directory? > >Thanks for any help. > > >This e-mail is private and confidential between the sender and the addressee. >In the event of misdirection, the recipient is prohibited from using, >copying or disseminating it or any information in it. Please notify the above >if any misdirection. > > > >_______________________________________________ > >Freeipa-users mailing list > >[email protected]<mailto:[email protected]> > >https://www.redhat.com/mailman/listinfo/freeipa-users > > > >-- > >Thank you, > >Dmitri Pal > > > >Sr. Engineering Manager IdM portfolio > >Red Hat, Inc. >_______________________________________________ >Freeipa-users mailing list >[email protected] >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
