Re: [Nfs-ganesha-devel] nss_getpwnam: name 'tom@my.dom@localdomain' does not map into domain 'nix.my.dom'

Fri, 16 Mar 2018 22:32:05 -0700 

On 3/7/2018 9:15 AM, Frank Filz wrote:
With the idmapd service disabled, the UID / GID for folders is still nobody. 


Now Malahal mentioned that only the idmapd libraries are being used by 
NFS Ganesha but the service can be off.  So does this imply that perhaps 
default values for Domain are getting pulled in including Domain being 
set to localdomain?



And so it never really passes the correctly set domain from 
/etc/idmapd.conf?  Been trying to figure out where it's pulling the 
localdomain from when I've fully configued the host for nix.my.dom.  The 
only trace of localdomain remains in /etc/hosts:


[root@ipaclient01 ~]# cat /etc/hosts

127.0.0.1       localhost localhost.localdomain localhost4 
localhost4.localdomain4
::1             localhost localhost.localdomain localhost6 
localhost6.localdomain6

[root@ipaclient01 ~]#



The domain for my virtuals is nix.my.dom.  Here is the full idmapd.conf 
file:



[General]
Verbosity = 9
Local-Realms = NIX.MY.DOM,MY.DOM
Domain = nix.my.dom
[Mapping]
[Translation]
Method = sss,umich_ldap,nsswitch,static
GSS-Methods = sss,umich_ldap,nsswitch,static
[Static]
[UMICH_SCHEMA]
LDAP_server = idmipa01.nix.my.dom
LDAP_base = cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
LDAP_people_base = DC=NIX,DC=MY,DC=DOM
LDAP_group_base = DC=NIX,DC=MY,DC=DOM
NFSv4_person_objectclass = posixaccount
NFSv4_name_attr = uid



However, the libraries being used without the /etc/idmapd.conf would 
explain why localdomain is being used instead of the defined Domain = 
nix.my.dom that I have in the conf file because it appears the libraries 
have a default value of localdomain embedded in them and it would 
explain why the wrong domain is being selected.  ( It's the most 
plausible explanation I have so far to explain why UID / GID's appear as 
'nobody' on the client NFS mount. )



If you can please suggest how I can have my AD UID's and GID's properly 
displayed on client NFS mounts off of NFS Ganesha servers, that would be 
awesome.


The libraries:

[root@ipaclient01 ~]# strings /lib64/libnfsidmap.so.0|grep domain
nfs4_get_default_domain

Unable to determine a default nfsv4 domain;  consider specifying one in 
idmapd.conf
libnfsidmap: Unable to determine the NFSv4 domain; Using '%s' as the 
NFSv4 domain which means UIDs will be mapped to the 'Nobody-Use r' user 
defined in %s

libnfsidmap: using%s domain: %s
localdomain
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]# strings /lib64/libnfsidmap.so.0.3.0|grep domain
nfs4_get_default_domain

Unable to determine a default nfsv4 domain;  consider specifying one in 
idmapd.conf
libnfsidmap: Unable to determine the NFSv4 domain; Using '%s' as the 
NFSv4 domain which means UIDs will be mapped to the 'Nobody-User' user 
defined in %s

libnfsidmap: using%s domain: %s
localdomain                      <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/nsswitch.so | grep domain
get_default_domain
nss_getpwnam: name '%s' domain '%s': resulting localname '%s'
nss_getpwnam: name '%s' does not map into domain '%s'
nss_getpwnam: name '%s' not found in domain '%s'
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/static.so|grep -i domain

[root@ipaclient01 ~]# strings /lib64/libnfsidmap/umich_ldap.so|grep -i 
domain

[root@ipaclient01 ~]#


Cheers,
Tom


On 3/6/2018 10:45 AM, Tom wrote:> t...@my.dom is an ad user.   Nix.my.dom
is a subdomain managed freeipa.


So you have two domains visible on your client? That may be causing confusion.

The client sending t...@my.dom@localdomain makes me think idmapd thinks localdomain is 
the domain to use for ids, and it doesn't recognize @my.dom, so it's treating 
"t...@my.dom" as an opaque username, and appending @localdomain to turn it into 
a fully qualified username.

Frank


Tried identical ifmapd.conf files on client and server but rpcidmapd tries to

start the local copy of nfsd on the nfs Ganesha servers but that competes with
nfs-Ganesha and won’t bind on port 2049.  So I need to change the port for the
old nfs to 12049 etc to get the old nfs started so rpcidmapd can start on the
Ganesha nfs servers.  They made it a dependency.


That’s when things get messy.   I may try to uninstall the built in nfs packages

but not sure if they will also pull out the rpcidmapd ones too.


Cheers,
Tom

Sent from my iPhone


On Mar 6, 2018, at 9:00 AM, Daniel Gryniewicz <d...@redhat.com> wrote:

Based on the error messages, you client is not sending t...@nix.my.dom but

is sending t...@my.dom@localdomain.  Something is mis-configured on the
client.  Have you tried having identical (including case) idmapd.conf files on 
both
the client and server?


Idmap configuration has historically be very picky and hard to set up, and I'm

far from an expert on it.


Daniel


On 03/06/2018 08:24 AM, TomK wrote:
Hey Guy's,
Getting below message which in turn fails to list proper UID / GID on NFSv4

mounts from within an unprivileged account. All files show up with owner and
group as nobody / nobody when viewed from the client.

Wondering if anyone saw this and what the solution could be here?
If not the right list, let me know please.
[root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e "/^$/d"
[General]
Verbosity = 7
Domain = nix.my.dom
[Mapping]
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu LDAP_base =
dc=local,dc=domain,dc=edu
[root@client01 etc]#
Mount looks like this:
nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tc
p,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_l
ock=none,addr=192.168.0.80) /var/log/messages Mar  6 00:17:27 client01

nfsidmap[14396]: key: 0x3f2c257b type: uid value: t...@my.dom@localdomain
timeout 600 Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
calling nsswitch->name_to_uid Mar  6 00:17:27 client01 nfsidmap[14396]:
nss_getpwnam: name 't...@my.dom@localdomain' domain 'nix.my.dom':
resulting localname '(null)'

Mar  6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name

't...@my.dom@localdomain' does not map into domain 'nix.my.dom'

Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22 Mar  6 00:17:27 client01
nfsidmap[14396]: nfs4_name_to_uid: final return value is -22 Mar  6
00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling nsswitch-

name_to_uid Mar  6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name

'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'

Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0 Mar  6 00:17:27 client01
nfsidmap[14396]: nfs4_name_to_uid: final return value is 0 Mar  6
00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid value:
t...@my.dom@localdomain timeout 600 Mar  6 00:17:27 client01
nfsidmap[14398]: nfs4_name_to_gid: calling nsswitch->name_to_gid Mar
6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22 Mar  6 00:17:27 client01
nfsidmap[14398]: nfs4_name_to_gid: final return value is -22 Mar  6
00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling nsswitch-

name_to_gid Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:

nsswitch->name_to_gid returned 0 Mar  6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid: final return value is 0 Mar  6 00:17:31 client01 systemd-
logind: Removed session 23.

Result of:
systemctl restart rpcidmapd
/var/log/messages
-------------------
Mar  5 23:46:12 client01 systemd: Stopping Automounts filesystems on

demand...

Mar  5 23:46:13 client01 systemd: Stopped Automounts filesystems on

demand.

Mar  5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping

service...

Mar  5 23:48:51 client01 systemd: Starting Preprocess NFS configuration...
Mar  5 23:48:51 client01 systemd: Started Preprocess NFS configuration.
Mar  5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping

service...

Mar  5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using
domain: nix.my.dom Mar  5 23:48:51 client01 rpc.idmapd[14117]:

libnfsidmap: Realms list: 'NIX.MY.DOM'

Mar  5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using
domain: nix.my.dom Mar  5 23:48:51 client01 rpc.idmapd: rpc.idmapd:

libnfsidmap: Realms list: 'NIX.MY.DOM'

Mar  5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded
plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch Mar  5
23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded plugin

/lib64/libnfsidmap/nsswitch.so for method nsswitch Mar  5 23:48:51 client01
rpc.idmapd[14118]: Expiration time is 600 seconds.

Mar  5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping service.
Mar  5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.nametoid/channel
Mar  5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.idtoname/channel





----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel


Cant remove the previous NFS utils package.  I may need to figure out a way to
work with /etc/idmapd.conf.

[root@nfs02 ~]# rpm -e nfs-utils-1.3.0-0.48.el7_4.1.x86_64
error: Failed dependencies:
          nfs-utils is needed by (installed)
ipa-client-4.5.0-22.el7.centos.x86_64
          nfs-utils is needed by (installed)
libvirt-daemon-driver-storage-core-3.2.0-14.el7_4.7.x86_64
          /sbin/mount.nfs is needed by (installed)
resource-agents-3.9.5-105.el7_4.6.x86_64
          /sbin/mount.nfs4 is needed by (installed)
resource-agents-3.9.5-105.el7_4.6.x86_64
          /sbin/rpc.statd is needed by (installed)
resource-agents-3.9.5-105.el7_4.6.x86_64
          /usr/sbin/rpc.mountd is needed by (installed)
resource-agents-3.9.5-105.el7_4.6.x86_64
          /usr/sbin/rpc.nfsd is needed by (installed)
resource-agents-3.9.5-105.el7_4.6.x86_64
[root@nfs02 ~]# vi /etc/idmapd.conf


--
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel





--
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel






















					Reply via email to