Hi,

First i wish to thank everybody that helped me out trying to solve this issue 
and i also wish to inform that NFS 4 does not work with AD users through an AD 
and IPA trust at the moment for RHEL 6 and 7.  

The reason is that rpcidmapd` does not parse fully-qualified usernames 
so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work.
 The client-side code is stripping the domain off based on the location of the 
first "@" character in the value returned by the server.  This results in 
UID/GID mappings failing and resulting in ownership on the clients of "nobody".

Regards,
Johan

From: Dmitri Pal [d...@redhat.com]
Sent: Thursday, June 05, 2014 21:03
To: Johan Petersson; Alexander Bokovoy
Cc: Sumit Bose; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/04/2014 09:57 AM, Johan Petersson wrote:
> Yes the message is exactly like that with commas, I double checked.
>
> To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
> Local-Realms in idmap.conf might help?
>
> I did on all machines and got rid of that specific message but I still get 
> user nobody unfortunately.
>
> Here are logs from when I did a su - adt...@ad.home@linux.home with both 
> AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
>
> Client:
> Jun  4 15:30:13 client su: (to adt...@ad.home) linux on pts/0
> Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
> adt...@ad.home@linux.home timeout 600
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
> nsswitch->name_to_gid
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
> nsswitch->name_to_gid returned -22
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
> is -22
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
> nsswitch->name_to_gid
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
> nsswitch->name_to_gid returned 0
> Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
> is 0

Do we have a corresponding SSSD trace that shows the actual process of
the resolution?


>
> NFS Server:
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
> authtype=user
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
> nsswitch->uid_to_name
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: 
> nsswitch->uid_to_name returned 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value 
> is 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> 
> name "adt...@ad.home@linux.home"
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
> authtype=group
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
> nsswitch->gid_to_name
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: 
> nsswitch->gid_to_name returned 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value 
> is 0
> Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> 
> name "ad_us...@linux.home"
>
> The group ad_users is a IPA group with external maps from AD Domain users.
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: Wednesday, June 04, 2014 3:14 PM
> To: Johan Petersson
> Cc: d...@redhat.com; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
> On Wed, 04 Jun 2014, Johan Petersson wrote:
>> Mail got posted before I was finished sorry.
>>
>> I found one clue to the issue after increasing autofs logging to debug and 
>> as i thought it has to do with id-mapping.
>>
>> >From /var/log/messages:
>>
>> Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
>> into domain 'linux.home,'
> Are you sure the message is exactly like this, with a comma after linux.home?
>
> The reason I'm asking is because the code that prints the message looks like 
> this:
>
>          localname = strip_domain(name, domain);
>          IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "
>                    "resulting localname '%s'\n", name, domain, localname));
>          if (localname == NULL) {
>                  IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "
>                          "into domain '%s'\n", name,
>                          domain ? domain : "<not-provided>"));
>                  goto err_free_buf;
>          }
>
> note that it doesn't have comma anywhere in the string printed.
>
> Can you please increase the log level to 4 so that we can see the first 
> string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it 
> would be
>
> [general]
>    Verbosity = 4
>
> in /etc/idmapd.conf
>
>
>
>>
>> From: freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
>> Sent: Wednesday, June 04, 2014 12:02 PM
>> To: d...@redhat.com; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>>
>> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
>>
>>
>> server.ad.home = AD Server
>> share.linux.home = NFS Server
>> ipa.linux.home = IPA Server
>> client.linux.home = Client
>>
>> NFS with automounted krb5p Home Directories work for IPA users.
>>
>> sssd-1.11.2-65.el7.x86_64
>>
>> id adt...@ad.home<mailto:adt...@ad.home>
>> uid=497801107(adt...@ad.home<mailto:adt...@ad.home>)
>> gid=497801107(adt...@ad.home<mailto:adt...@ad.home>)
>> groups=497801107(adt...@ad.home),497800513(domain<mailto:adt...@ad.home
>> ),497800513(domain> us...@ad.home<mailto:us...@ad.home>)
>>
>> getent passwd adt...@ad.home<mailto:adt...@ad.home>
>> adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest>:
>>
>> klist after kinit adt...@ad.home<mailto:adt...@ad.home>
>>
>> [root@client ~]# klist -e
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: adt...@ad.home<mailto:adt...@ad.home>
>>
>> Valid starting     Expires            Service principal
>> 06/04/14 11:28:35  06/04/14 21:28:35  
>> krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home>
>>          renew until 06/05/14 11:28:30, Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>
>> klist after ssh
>> adt...@ad.home@ipa.linux.home<mailto:adt...@ad.home@ipa.linux.home>
>>
>> klist
>> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
>> Default principal: adt...@ad.home<mailto:adt...@ad.home>
>>
>> Valid starting     Expires            Service principal
>> 06/04/14 11:35:16  06/04/14 21:35:16 
>> nfs/share.linux.h...@linux.home<mailto:nfs/share.linux.h...@linux.home>
>>          renew until 06/05/14 11:28:30
>> 06/04/14 11:35:16  06/04/14 21:35:16  
>> krbtgt/linux.h...@ad.home<mailto:krbtgt/linux.h...@ad.home>
>>          renew until 06/05/14 11:28:30
>> 06/04/14 11:28:35  06/04/14 21:35:16  
>> krbtgt/ad.h...@ad.home<mailto:krbtgt/ad.h...@ad.home>
>>          renew until 06/05/14 11:28:30
>>
>> Home Directory gets mounted by autofs through sssd but user:group is both 
>> nobody.
>>
>> The Client's sssd.conf:
>>
>> [domain/linux.home]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = linux.home
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = client.linux.home
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = _srv_, ipa.linux.home
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> autofs_provider = ipa
>> ipa_automount_location = default
>> subdomains_provider = ipa
>> [sssd]
>> services = nss, pam, autofs, ssh
>> config_file_version = 2
>>
>> domains = linux.home
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>> From:
>> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.co
>> m>
>> [mailto:freeipa-users-boun...@redhat.com]<mailto:[mailto:freeipa-users-
>> boun...@redhat.com]> On Behalf Of Dmitri Pal
>> Sent: Tuesday, June 03, 2014 6:48 PM
>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>>
>> On 06/03/2014 09:07 AM, Johan Petersson wrote:
>> Hi,
>>
>> Environment:
>>
>> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7
>> NFS Server RHEL 7 Client
>>
>> I have found one problem when using a NFS 4 shared Home Directory for AD 
>> users logging in to IPA.
>> I have created a NFS share /home/adexample.org and use autofs map in IPA.
>> All wbinfo tests works as well as id.
>> I can login fine through SSH and Shell with
>> adt...@adexample.org<mailto:adt...@adexample.org>
>> The problem is that I can add the AD user as owner of his Home Directory and 
>> if I log in to the NFS Server locally or through ssh permissions are correct 
>> but when logging in to any other computer i get "nobody" as owner.
>> Are those computers RHEL7 NFS clients with SSSD?
>> Can you describe them in more details please?
>>
>> Groups are no problem since AD groups can be mapped to Posix groups.
>>
>> Idmap.conf domain is set to the IPA Domain.
>>
>> Is there some way to get NFS working with the AD user as owner of his Home 
>> Directory?
>>
>> Thanks for any help.
>>
>>
>> This e-mail is private and confidential between the sender and the addressee.
>> In the event of misdirection, the recipient is prohibited from using,
>> copying or disseminating it or any information in it. Please notify the 
>> above if any misdirection.
>>
>>
>>
>> _______________________________________________
>>
>> Freeipa-users mailing list
>>
>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>>
>> Thank you,
>>
>> Dmitri Pal
>>
>>
>>
>> Sr. Engineering Manager IdM portfolio
>>
>> Red Hat, Inc.
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> / Alexander Bokovoy


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to