> -----Original Message-----
> From: David Kupka [mailto:dku...@redhat.com]
> Sent: 8. december 2016 09:40
> To: Bjarne Blichfeldt <b...@jndata.dk>; email@example.com
> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly
> create users, however user id is correct
> On 08/12/16 08:57, Bjarne Blichfeldt wrote:
> > Anybody have any suggestion as how to continue debugging this? The nfs
> > server
> resolves usernames by loopkup in free-ipa lda.
> > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no
> > idea if that
> is relevant. Are there some update ldap procedure I am missing? Just in case
> I ran
> a ipa-server-upgrade, which did not resolve the issue.
> I'm almost sure that 'krbcanonicalname' has nothing to do with this.
> Adding krbcanonicalname attribute was done to allow principal aliases
> kerberos principals for one user/host/service), see  for details.
> Unfortunately, I don't know what's wrong. SSSD is taking care of resolving
> and groups on enrolled systems. "id mgm" should output something like
> "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly.
>  http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> David Kupka
Thank you for that info. That led me somewhat further by increasing the debug
on sssd which led me to :
Dec 8 10:42:48 client nfsidmap: key: 0xae72f5 type: uid value:
m...@realm.com timeout 600
Dec 8 10:42:48 client nfsidmap: nfs4_name_to_uid: calling
Dec 8 10:42:48 client nfsidmap: nss_getpwnam: name 'm...@realm.com'
domain 'REALM.COM': resulting localname 'mqm2'
Dec 8 10:42:48 client nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid
Dec 8 10:42:48 client nfsidmap: nfs4_name_to_uid: final return value is 0
Dec 8 10:42:48 client nfsidmap: key: 0xf56593 type: gid value: Null
Dec 8 10:42:48 client nfsidmap: nfs4_name_to_gid: calling
Dec 8 10:42:48 client nfsidmap: nfs4_name_to_gid: nsswitch->name_to_gid
Dec 8 10:42:48 client nfsidmap: nfs4_name_to_gid: final return value is
-22Seems nfsidmap is not called with a gid value.
It seems nfsidmap is not called with a proper gid.
hm, the saga continues...
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project