Anybody have any suggestion as how to continue debugging this? The nfs server resolves usernames by loopkup in free-ipa lda.
After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no idea if that is relevant. Are there some update ldap procedure I am missing? Just in case I ran a ipa-server-upgrade, which did not resolve the issue. Regards Bjarne Blichfeldt. From: Bjarne Blichfeldt Sent: 6. december 2016 14:29 To: freeipa-users@redhat.com Subject: nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct VERSION: 4.4.0, API_VERSION: 2.213 on rhel7. ipa server was recently upgraded to version 4.4 from version 4.2 and it seems that we are having problems with users created after the upgrade. Of course, it could be something I forgot. Our environment consist of an hds nfs server, a couple of ipa servers - rhel7 and a lot of clients - rhel6. The NFS server is not part of the idm domain, i.e. not joined, but of course has a keytab created on the ipa server. The NFS server provides common shares, mounted as krb5p on the clients. All this workes fine and the mapping is correct for all existing users. That is, if I log into a client, get a Kerberos ticket for myself and create a file on one of the shares, uid and gid are set to my uid and gid. But if I create a new user on the ipa server and do the same, the gid on the newly created file is "nobody(99)" whereas the uid is correct. I have tested with two different users - same result. klist shows the default principal to be correct. For user mqm uid=1414 gid=1414, rpc.gssd shows,that after finding the user credentials, for some reason there is a switch to machine credentials: Dec 6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0) Dec 6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=1414 enctypes=18,17,16,23,3,1,2 ' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0) Dec 6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '<null>' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: getting credentials for client with uid 1414 for server jnsa-dnt2.domaine.com Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1622800027_u0vmh1' being considered, with preferred realm 'DOMAINE.COM' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1622800027_u0vmh1' owned by 1622800027, not 1414 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x' being considered, with preferred realm 'DOMAINE.COM' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x'(m...@domaine.com<mailto:m...@domaine.com>) passed all checks and has mtime of 1481022999 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_machine_DOMAINE.COM' being considered, with preferred realm 'DOMAINE.COM' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_machine_DOMAINE.COM' owned by 0, not 1414 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'DOMAINE.COM' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' owned by 0, not 1414 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_1414_bVlw8x as credentials cache for client with uid 1414 for server jnsa-dnt2.domaine.com Dec 6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_1414_bVlw8x Dec 6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 1414 (save_uid 0) Dec 6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server jnsa-dnt2.domaine.com Dec 6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server n...@jnsa-dnt2.domaine.com<mailto:n...@jnsa-dnt2.domaine.com> Dec 6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid version! Dec 6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 1 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86363 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0) Dec 6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0) Dec 6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '*' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 'jnsa-dnt2.domaine.com' is 'jnsa-dnt2.domaine.com' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 'nfsclient.domaine.com' is 'nfsclient.domaine.com' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab entry for 'nfsclient$@DOMAINE.COM' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab entry for 'nfsclient$@DOMAINE.COM' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for root/nfsclient.domaine....@domaine.com<mailto:root/nfsclient.domaine....@domaine.com> while getting keytab entry for 'root/nfsclient.domaine....@domaine.com' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfs/nfsclient.domaine....@domaine.com<mailto:nfs/nfsclient.domaine....@domaine.com> while getting keytab entry for 'nfs/nfsclient.domaine....@domaine.com' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: Success getting keytab entry for 'host/nfsclient.domaine....@domaine.com' Dec 6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_machine_DOMAINE.COM as credentials cache for machine creds Dec 6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAINE.COM Dec 6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 0 (save_uid 0) Dec 6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server jnsa-dnt2.domaine.com Dec 6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server n...@jnsa-dnt2.domaine.com<mailto:n...@jnsa-dnt2.domaine.com> Dec 6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid version! Dec 6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 1 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 Dec 6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86303 Regards Bjarne Blichfeldt.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project