> -----Original Message----- > From: David Kupka [mailto:dku...@redhat.com] > Sent: 8. december 2016 09:40 > To: Bjarne Blichfeldt <b...@jndata.dk>; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly > create users, however user id is correct > > On 08/12/16 08:57, Bjarne Blichfeldt wrote: > > Anybody have any suggestion as how to continue debugging this? The nfs > > server > resolves usernames by loopkup in free-ipa lda. > > > > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no > > idea if that > is relevant. Are there some update ldap procedure I am missing? Just in case > I ran > a ipa-server-upgrade, which did not resolve the issue. > > > > :snip > > > > > > Hello, > I'm almost sure that 'krbcanonicalname' has nothing to do with this. > Adding krbcanonicalname attribute was done to allow principal aliases > (multiple > kerberos principals for one user/host/service), see [1] for details. > > Unfortunately, I don't know what's wrong. SSSD is taking care of resolving > users > and groups on enrolled systems. "id mgm" should output something like > "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly. > > [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases > > -- > David Kupka
Thank you for that info. That led me somewhat further by increasing the debug on sssd which led me to : Dec 8 10:42:48 client nfsidmap[6663]: key: 0xae72f5 type: uid value: m...@realm.com timeout 600 Dec 8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: calling nsswitch->name_to_uid Dec 8 10:42:48 client nfsidmap[6663]: nss_getpwnam: name 'm...@realm.com' domain 'REALM.COM': resulting localname 'mqm2' Dec 8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Dec 8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: final return value is 0 Dec 8 10:42:48 client nfsidmap[6665]: key: 0xf56593 type: gid value: Null timeout 600 ^^^^^^^^^ Dec 8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: calling nsswitch->name_to_gid Dec 8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 Dec 8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: final return value is -22Seems nfsidmap is not called with a gid value. It seems nfsidmap is not called with a proper gid. hm, the saga continues... -- Regards Bjarne Blichfeldt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project