On (08/12/16 10:24), Bjarne Blichfeldt wrote:
>> -----Original Message-----
>> From: David Kupka [mailto:dku...@redhat.com]
>> Sent: 8. december 2016 09:40
>> To: Bjarne Blichfeldt <b...@jndata.dk>; email@example.com
>> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly
>> create users, however user id is correct
>> On 08/12/16 08:57, Bjarne Blichfeldt wrote:
>> > Anybody have any suggestion as how to continue debugging this? The nfs
>> > server
>> resolves usernames by loopkup in free-ipa lda.
>> > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no
>> > idea if that
>> is relevant. Are there some update ldap procedure I am missing? Just in case
>> I ran
>> a ipa-server-upgrade, which did not resolve the issue.
>> I'm almost sure that 'krbcanonicalname' has nothing to do with this.
>> Adding krbcanonicalname attribute was done to allow principal aliases
>> kerberos principals for one user/host/service), see  for details.
>> Unfortunately, I don't know what's wrong. SSSD is taking care of resolving
>> and groups on enrolled systems. "id mgm" should output something like
>> "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly.
>>  http://www.freeipa.org/page/V4/Kerberos_principal_aliases
>> David Kupka
>Thank you for that info. That led me somewhat further by increasing the debug
>on sssd which led me to :
>Dec 8 10:42:48 client nfsidmap: key: 0xae72f5 type: uid value:
>m...@realm.com timeout 600
>Dec 8 10:42:48 client nfsidmap: nfs4_name_to_uid: calling
>Dec 8 10:42:48 client nfsidmap: nss_getpwnam: name 'm...@realm.com'
>domain 'REALM.COM': resulting localname 'mqm2'
>Dec 8 10:42:48 client nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid
>Dec 8 10:42:48 client nfsidmap: nfs4_name_to_uid: final return value is >0
>Dec 8 10:42:48 client nfsidmap: key: 0xf56593 type: gid value: Null
>Dec 8 10:42:48 client nfsidmap: nfs4_name_to_gid: calling
>Dec 8 10:42:48 client nfsidmap: nfs4_name_to_gid: nsswitch->name_to_gid
>Dec 8 10:42:48 client nfsidmap: nfs4_name_to_gid: final return value is
>-22Seems nfsidmap is not called with a gid value.
>It seems nfsidmap is not called with a proper gid.
>hm, the saga continues...
You might want to use sss nfsidmap plugin.
* set method in /etc/idmap.conf to sss
* restart nfsidmapd
BTW In fedora and sssd-1.14 + it is part of recomended
package sssd-nfs-idmap (weak dependency)
older versions and other distributions might have packages in sssd-common
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project