On Thu, Jun 26, 2014 at 09:04:41PM +0000, Johan Petersson wrote: > Hi, > > First i wish to thank everybody that helped me out trying to solve this issue > and i also wish to inform that NFS 4 does not work with AD users through an > AD and IPA trust at the moment for RHEL 6 and 7. > > The reason is that rpcidmapd` does not parse fully-qualified usernames > so"[email protected]@IPA.EXAMPLE.ORG" does not work. > The client-side code is stripping the domain off based on the location of > the first "@" character in the value returned by the server. This results in > UID/GID mappings failing and resulting in ownership on the clients of > "nobody".
Thank you for the feedback. FYI there is a rpc.idmapd plugin for SSSD (https://fedorahosted.org/sssd/wiki/DesignDocs/rpc.idmapd%20plugin) currently under review (https://lists.fedorahosted.org/pipermail/sssd-devel/2014-June/020384.html) I'll try to find some time early next week to test if this will help with your use-case. bye, Sumit > > Regards, > Johan > > From: Dmitri Pal [[email protected]] > Sent: Thursday, June 05, 2014 21:03 > To: Johan Petersson; Alexander Bokovoy > Cc: Sumit Bose; [email protected] > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On 06/04/2014 09:57 AM, Johan Petersson wrote: > > Yes the message is exactly like that with commas, I double checked. > > > > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to > > Local-Realms in idmap.conf might help? > > > > I did on all machines and got rid of that specific message but I still get > > user nobody unfortunately. > > > > Here are logs from when I did a su - [email protected]@linux.home with both > > AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. > > > > Client: > > Jun 4 15:30:13 client su: (to [email protected]) linux on pts/0 > > Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: > > [email protected]@linux.home timeout 600 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling > > nsswitch->name_to_gid > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: > > nsswitch->name_to_gid returned -22 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value > > is -22 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling > > nsswitch->name_to_gid > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: > > nsswitch->name_to_gid returned 0 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value > > is 0 > > Do we have a corresponding SSSD trace that shows the actual process of > the resolution? > > > > > > NFS Server: > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p > > authtype=user > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling > > nsswitch->uid_to_name > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: > > nsswitch->uid_to_name returned 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return > > value is 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> > > name "[email protected]@linux.home" > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p > > authtype=group > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling > > nsswitch->gid_to_name > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: > > nsswitch->gid_to_name returned 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return > > value is 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> > > name "[email protected]" > > > > The group ad_users is a IPA group with external maps from AD Domain users. > > > > -----Original Message----- > > From: Alexander Bokovoy [mailto:[email protected]] > > Sent: Wednesday, June 04, 2014 3:14 PM > > To: Johan Petersson > > Cc: [email protected]; [email protected] > > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > > > On Wed, 04 Jun 2014, Johan Petersson wrote: > >> Mail got posted before I was finished sorry. > >> > >> I found one clue to the issue after increasing autofs logging to debug and > >> as i thought it has to do with id-mapping. > >> > >> >From /var/log/messages: > >> > >> Nfsidmap[1696]: nss_getpwnam: name '[email protected]@linux.home,' does not > >> map into domain 'linux.home,' > > Are you sure the message is exactly like this, with a comma after > > linux.home? > > > > The reason I'm asking is because the code that prints the message looks > > like this: > > > > localname = strip_domain(name, domain); > > IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " > > "resulting localname '%s'\n", name, domain, localname)); > > if (localname == NULL) { > > IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " > > "into domain '%s'\n", name, > > domain ? domain : "<not-provided>")); > > goto err_free_buf; > > } > > > > note that it doesn't have comma anywhere in the string printed. > > > > Can you please increase the log level to 4 so that we can see the first > > string (nss_getpwnam: name '....' domain '...': resulting localname ...)? > > it would be > > > > [general] > > Verbosity = 4 > > > > in /etc/idmapd.conf > > > > > > > >> > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Johan Petersson > >> Sent: Wednesday, June 04, 2014 12:02 PM > >> To: [email protected]; [email protected] > >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >> > >> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > >> > >> > >> server.ad.home = AD Server > >> share.linux.home = NFS Server > >> ipa.linux.home = IPA Server > >> client.linux.home = Client > >> > >> NFS with automounted krb5p Home Directories work for IPA users. > >> > >> sssd-1.11.2-65.el7.x86_64 > >> > >> id [email protected]<mailto:[email protected]> > >> uid=497801107([email protected]<mailto:[email protected]>) > >> gid=497801107([email protected]<mailto:[email protected]>) > >> groups=497801107([email protected]),497800513(domain<mailto:[email protected] > >> ),497800513(domain> [email protected]<mailto:[email protected]>) > >> > >> getent passwd [email protected]<mailto:[email protected]> > >> [email protected]:*:497801107:497801107::/home/ad.home/adtest<mailto:[email protected]:*:497801107:497801107::/home/ad.home/adtest>: > >> > >> klist after kinit [email protected]<mailto:[email protected]> > >> > >> [root@client ~]# klist -e > >> Ticket cache: KEYRING:persistent:0:0 > >> Default principal: [email protected]<mailto:[email protected]> > >> > >> Valid starting Expires Service principal > >> 06/04/14 11:28:35 06/04/14 21:28:35 > >> krbtgt/[email protected]<mailto:krbtgt/[email protected]> > >> renew until 06/05/14 11:28:30, Etype (skey, tkt): > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >> > >> klist after ssh > >> [email protected]@ipa.linux.home<mailto:[email protected]@ipa.linux.home> > >> > >> klist > >> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB > >> Default principal: [email protected]<mailto:[email protected]> > >> > >> Valid starting Expires Service principal > >> 06/04/14 11:35:16 06/04/14 21:35:16 > >> nfs/[email protected]<mailto:nfs/[email protected]> > >> renew until 06/05/14 11:28:30 > >> 06/04/14 11:35:16 06/04/14 21:35:16 > >> krbtgt/[email protected]<mailto:krbtgt/[email protected]> > >> renew until 06/05/14 11:28:30 > >> 06/04/14 11:28:35 06/04/14 21:35:16 > >> krbtgt/[email protected]<mailto:krbtgt/[email protected]> > >> renew until 06/05/14 11:28:30 > >> > >> Home Directory gets mounted by autofs through sssd but user:group is both > >> nobody. > >> > >> The Client's sssd.conf: > >> > >> [domain/linux.home] > >> > >> cache_credentials = True > >> krb5_store_password_if_offline = True > >> ipa_domain = linux.home > >> id_provider = ipa > >> auth_provider = ipa > >> access_provider = ipa > >> ipa_hostname = client.linux.home > >> chpass_provider = ipa > >> ipa_dyndns_update = True > >> ipa_server = _srv_, ipa.linux.home > >> ldap_tls_cacert = /etc/ipa/ca.crt > >> autofs_provider = ipa > >> ipa_automount_location = default > >> subdomains_provider = ipa > >> [sssd] > >> services = nss, pam, autofs, ssh > >> config_file_version = 2 > >> > >> domains = linux.home > >> [nss] > >> > >> [pam] > >> > >> [sudo] > >> > >> [autofs] > >> > >> [ssh] > >> > >> [pac] > >> > >> > >> From: > >> [email protected]<mailto:[email protected] > >> m> > >> [mailto:[email protected]]<mailto:[mailto:freeipa-users- > >> [email protected]]> On Behalf Of Dmitri Pal > >> Sent: Tuesday, June 03, 2014 6:48 PM > >> To: [email protected]<mailto:[email protected]> > >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >> > >> On 06/03/2014 09:07 AM, Johan Petersson wrote: > >> Hi, > >> > >> Environment: > >> > >> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 > >> NFS Server RHEL 7 Client > >> > >> I have found one problem when using a NFS 4 shared Home Directory for AD > >> users logging in to IPA. > >> I have created a NFS share /home/adexample.org and use autofs map in IPA. > >> All wbinfo tests works as well as id. > >> I can login fine through SSH and Shell with > >> [email protected]<mailto:[email protected]> > >> The problem is that I can add the AD user as owner of his Home Directory > >> and if I log in to the NFS Server locally or through ssh permissions are > >> correct but when logging in to any other computer i get "nobody" as owner. > >> Are those computers RHEL7 NFS clients with SSSD? > >> Can you describe them in more details please? > >> > >> Groups are no problem since AD groups can be mapped to Posix groups. > >> > >> Idmap.conf domain is set to the IPA Domain. > >> > >> Is there some way to get NFS working with the AD user as owner of his Home > >> Directory? > >> > >> Thanks for any help. > >> > >> > >> This e-mail is private and confidential between the sender and the > >> addressee. > >> In the event of misdirection, the recipient is prohibited from using, > >> copying or disseminating it or any information in it. Please notify the > >> above if any misdirection. > >> > >> > >> > >> _______________________________________________ > >> > >> Freeipa-users mailing list > >> > >> [email protected]<mailto:[email protected]> > >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> > >> -- > >> > >> Thank you, > >> > >> Dmitri Pal > >> > >> > >> > >> Sr. Engineering Manager IdM portfolio > >> > >> Red Hat, Inc. > >> _______________________________________________ > >> Freeipa-users mailing list > >> [email protected] > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > / Alexander Bokovoy > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
