Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote: > Morning Jakub, > > >> However, I would like to tune this configuration to drop the domain > >> component of the user and group names. I tried to do this by adding > >> these settings to the [sssd] section in sssd.conf on the client: > >> > >>default_domain_suffix = example.au > >> full_name_format = %1$s > >> > >> With this configuration, I can login as a staff domain user (example.au) > >> successfully and I then see the short-name form of the groups: > >> > >> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au > >> [rnst@ipa-client-rh7 ~]$ groups > >> rnst > >> > >> Is this expected behaviour? Is there a possible client configuration that > >> will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > Does one need sssd-1.14 on the IPA server only or is this required on > all the IPA clients too? I haven't tested since I was working in this area, but I belive the clients as well. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Morning Jakub, >> However, I would like to tune this configuration to drop the domain >> component of the user and group names. I tried to do this by adding >> these settings to the [sssd] section in sssd.conf on the client: >> >>default_domain_suffix = example.au >> full_name_format = %1$s >> >> With this configuration, I can login as a staff domain user (example.au) >> successfully and I then see the short-name form of the groups: >> >> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au >> [rnst@ipa-client-rh7 ~]$ groups >> rnst >> >> Is this expected behaviour? Is there a possible client configuration that >> will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. Does one need sssd-1.14 on the IPA server only or is this required on all the IPA clients too? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > […] > > > However, when I try logging in as a student domain user > > > (student.example.au), > > > I don't see any of the groups (there should be 8): > > > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > > [rnst ipa-client-rh7 ~]$ groups > > > rnst > > > > > > Is this expected behaviour? Is there a possible client configuration that > > > will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > I tried the same configuration on FC24, which has sssd-1.14.1-3, but it > didn’t work for the student domain either: > > $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au > -sh-4.3$ groups > rnst > > Is the version shipping with RHEL7.3 likely to be different? No, it's pretty much the same. Can you take a look at the logs and create a dump of the ldb cache, please? See: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > […] > > However, when I try logging in as a student domain user > > (student.example.au), > > I don't see any of the groups (there should be 8): > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > [rnst ipa-client-rh7 ~]$ groups > > rnst > > > > Is this expected behaviour? Is there a possible client configuration that > > will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn’t work for the student domain either: $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au -sh-4.3$ groups rnst Is the version shipping with RHEL7.3 likely to be different? Regards, Robert. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy: > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV _ldap._tcp.ad_domain >> after checkig the logs a see this error >> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" >> >> so i disable the dnssec validation on IPA and it work as expected, i will >> setup dnssec on the windows side and enable dns validation once more on >> IPA >> to see if can get the same outcome. >> > When you use DNSSEC validation, your DNS infrastructure should all be > using DNSSEC. This does not depend on whether you are deploying trust to > AD or not. > > In fact, when installing FreeIPA server, you have option to disable > DNSSEC validation (ipa-server-install --no-dnssec-validation). The same > option exists in ipa-dns-install. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work as expected, i will setup dnssec on the windows side and enable dns validation once more on IPA to see if can get the same outcome. When you use DNSSEC validation, your DNS infrastructure should all be using DNSSEC. This does not depend on whether you are deploying trust to AD or not. In fact, when installing FreeIPA server, you have option to disable DNSSEC validation (ipa-server-install --no-dnssec-validation). The same option exists in ipa-dns-install. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work as expected, i will setup dnssec on the windows side and enable dns validation once more on IPA to see if can get the same outcome. Thanks for you answer 2016-10-20 10:10 GMT-04:00 Alexander Bokovoy: > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hello everyone, >> >> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as >> documentation explain in >> http://www.freeipa.org/page/Active_Directory_trust_setup#If_ >> AD_is_subdomain_of_IPA >> >> however the server is unable to resolve any record from my child domain, i >> found >> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if >> this >> version of IPA is affected by it. >> >> The procedure in the documentation is still valid ?. >> > Given that you have literally provided no logs that would help to help > you, let's start from it. > > Show what's your problem is through the logs. What exact commands are > failing? If you suspect DNS issues, show your named-pkcs11's logs. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this version of IPA is affected by it. The procedure in the documentation is still valid ?. Given that you have literally provided no logs that would help to help you, let's start from it. Show what's your problem is through the logs. What exact commands are failing? If you suspect DNS issues, show your named-pkcs11's logs. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA-AD Trust unable to resolve child domain
Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this version of IPA is affected by it. The procedure in the documentation is still valid ?. Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student users) > > The IPA domain that trusts these is called: > > IPA.EXAMPLE.AU > > The basic configuration as described above works ok - we can login to > IPA client hosts with user principals from either of the AD domains > and we see correct group membership. > > However, I would like to tune this configuration to drop the domain > component of the user and group names. I tried to do this by adding > these settings to the [sssd] section in sssd.conf on the client: > > default_domain_suffix = example.au > full_name_format = %1$s > > With this configuration, I can login as a staff domain user (example.au) > successfully and I then see the short-name form of the groups: > > $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au > [rns@ipa-client-rh7 ~]$ groups > rns domain users d-750g 511all [..etc..] > > However, when I try logging in as a student domain user (student.example.au), > I don't see any of the groups (there should be 8): > > $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au > [rnst@ipa-client-rh7 ~]$ groups > rnst > > Is this expected behaviour? Is there a possible client configuration that > will support our AD forest setup or is this simply not possible? What you did is quite correct, but unfortunately works only with RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains: EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic configuration as described above works ok - we can login to IPA client hosts with user principals from either of the AD domains and we see correct group membership. However, I would like to tune this configuration to drop the domain component of the user and group names. I tried to do this by adding these settings to the [sssd] section in sssd.conf on the client: default_domain_suffix = example.au full_name_format = %1$s With this configuration, I can login as a staff domain user (example.au) successfully and I then see the short-name form of the groups: $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au [rns@ipa-client-rh7 ~]$ groups rns domain users d-750g 511all [..etc..] However, when I try logging in as a student domain user (student.example.au), I don't see any of the groups (there should be 8): $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au [rnst@ipa-client-rh7 ~]$ groups rnst Is this expected behaviour? Is there a possible client configuration that will support our AD forest setup or is this simply not possible? Regards, Robert. Complete client sssd.conf: - [domain/ipa.example.au] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.au id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-rh7.ipa.example.au chpass_provider = ipa ipa_server = _srv_, matilda3.ipa.example.au ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ipa.example.au default_domain_suffix = example.au full_name_format = %1$s [nss] homedir_substring = /home override_shell = /bin/bash [pam] [sudo] [autofs] [ssh] [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA - AD trust - LDAP signing
Hi all, I am having the trouble with IPA-AD trust. We have scenario, where on the AD side the LDAP signing policy is on - this is company standard and can not be changed. Is there any chance to let the IPA use LDAP signing on IPA side ? I guess IPA use SASL LDAP bind but without signing. What I am not understanding now is that IPA is still able to obtain info from AD LDAP although DC servers keeps complaining about unsigned LDAP connections - event 2889. https://support.microsoft.com/en-us/kb/935834 https://technet.microsoft.com/en-us/library/dd941849(v=ws.10).aspx Thanks for help. Jan Karásek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups
Hi, OK, clear. Thanks for the information! Winny Sumit Bose schreef op 06-01-2016 9:19: On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: Hi all, Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site we're just not able to see AD "Domain Local Groups". Is that just not possible (a limitation of the current version that is), is some extra configuration needed of is just something wrong? Hope one can give an answer! This is by design. As the name says the groups are 'Domain Local' i.e. only valid in the own AD domain (not even in the whole AD forest). Since the IPA domain is a completely different forest from the AD perspective the Domain Local Groups do not apply here. IPA just does the same here as AD does. HTH bye, Sumit Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups
On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: > Hi all, > > Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site > we're just not able to see AD "Domain Local Groups". > > Is that just not possible (a limitation of the current version that is), is > some extra configuration needed of is just something wrong? > > Hope one can give an answer! This is by design. As the name says the groups are 'Domain Local' i.e. only valid in the own AD domain (not even in the whole AD forest). Since the IPA domain is a completely different forest from the AD perspective the Domain Local Groups do not apply here. IPA just does the same here as AD does. HTH bye, Sumit > > Winny > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA, AD Trust and Domain Local Groups
Hi all, Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site we're just not able to see AD "Domain Local Groups". Is that just not possible (a limitation of the current version that is), is some extra configuration needed of is just something wrong? Hope one can give an answer! Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 16 Jul 2014, at 03:29, Parsons, Aron parso...@bit-sys.com wrote: I ran into this issue last fall and have been running with a patched libnfsidmap since November while our support case with Red Hat waits on a resolution (pretty much have given up hope at this point). It's a trivial patch and removes the assumption that only one @ can be present in a username. With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled. We have experienced zero issues with this patch applied. Without it, the AD trust setup is a no-go in any sort of real environment since NFSv4 is broken. If you'd like to reference our support case, it's #00983906. Patch is included below. /aron Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6.. From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001 From: Aron Parsons parso...@bit-sys.com Date: Fri, 15 Nov 2013 14:43:10 -0500 Subject: [PATCH] account for usernames with @ in them --- libnfsidmap/nss.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c index 04aff19..f9ad4be 100644 --- a/libnfsidmap/nss.c +++ b/libnfsidmap/nss.c @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain) char *l = NULL; int len; - c = strchr(name, '@'); + c = strrchr(name, '@'); if (c == NULL domain != NULL) goto out; if (c == NULL domain == NULL) { -- 1.7.1 - Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. The reason is that rpcidmapd` does not parse fully-qualified usernames soadtest AD EXAMPLE o...@ipa.example.org does not work. The client-side code is stripping the domain off based on the location of the first @ character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of nobody. Regards, Johan From: Dmitri Pal [dpal redhat com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adtest AD h...@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest ad h...@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adtest ad h...@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - name ad_users linux home The group ad_users is a IPA group with external maps from AD Domain users. -Original Message- From: Alexander Bokovoy [mailto:abokovoy redhat com] Sent
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6.. username@domain is coded in the NFS spec as an NFS id which goes over the wire. It's unclear what allowing two @ signs means (which @ separates username from doman, and which is part of one of these components?) While I'm sure this patch is trivial and I'm certain the patch works, it breaks interoperability with everything not running the patch (all non-linux and any non RHEL/Centos 6.6 linux). This is probably acceptable in certain closed environments, but I can never use it here. However, patching the idmapper so that if the username already contains an @, it doesn't add another one should also be trivial and should also work. It has the added benefit of not trashing interoperability. Conceptually, it allows sssd to convey both username and domain with no extra overhead and upgrades the linux nfs idmapper to handle living on a system which understands more than a flat namespace. To do it right, sssd always needs to supply the nfs idmapper usernames of the form username@domain regardless of the regex used to parse out those components at the login prompt. I'd have put that on the bugzilla, but I can't get at it. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6.. username@domain is coded in the NFS spec as an NFS id which goes over the wire. It's unclear what allowing two @ signs means (which @ separates username from doman, and which is part of one of these components?) While I'm sure this patch is trivial and I'm certain the patch works, it breaks interoperability with everything not running the patch (all non-linux and any non RHEL/Centos 6.6 linux). This is probably acceptable in certain closed environments, but I can never use it here. The patch went upstream already. What it does is changing lookup at last '@' instead of the first one. For traditional NFS cases it changes nothing as there is one '@' anyway, the one added by nfsidmap code. However, patching the idmapper so that if the username already contains an @, it doesn't add another one should also be trivial and should also work. It has the added benefit of not trashing interoperability. Conceptually, it allows sssd to convey both username and domain with no extra overhead and upgrades the linux nfs idmapper to handle living on a system which understands more than a flat namespace. To do it right, sssd always needs to supply the nfs idmapper usernames of the form username@domain regardless of the regex used to parse out those components at the login prompt. Thing is, nfsidmap always adds and then substracts '@' plus domain, assuming that the part prior to '@' is what going to be mapped by the domain-specific idmap mapper. What you get here by not adding the '@' to the name which contains '@' already is that wrong domain will be classified and then wrong name is passed to the system to ask for. Current implementation (with the patch) survives both cases better than what you propose. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Thing is, nfsidmap always adds and then substracts '@' plus domain, assuming that the part prior to '@' is what going to be mapped by the domain-specific idmap mapper. That's the crux of the problem right there. Sssd is not a domain-specific idmap mapper. Sssd is a domain-aware, multidomain idmap mapper. Hence the first @. What you get here by not adding the '@' to the name which contains '@' already is that wrong domain will be classified and then wrong name is passed to the system to ask for. The corollary of not adding the '@' is not subtracting it either. If sssd is the system service that deals with multidomain issues, then let it. The NFS idmapper doesn't need to add or subtract the @ and should pass it on to sssd, if it's interacting with sssd. One flag to the mapper (domain-aware-system=true), the internal linux only problems are solved internally, and the over the wire traffic is not broken in ways that break other clients (e.g., your patched system emits traffic which looks _exactly_ like the traditional-read-conforming NFS case to unpatched systems and other ground-up implementations). Breaking the protocol in a self-consistent way which excludes other platforms is a very Microsoft-like approach and makes me feel all dirty. Sometimes (not now) it's necessary as a band-aid/workaround, but this time the band-aid doesn't have to break things. :) I'd say the real solution, long term, is to point both sssd and the nfs idmapper at something like a umich_ldap server managed by freeipa. This has additional benefits like centralizing the idmapping in a way that's exportable to foreign organizations so they can be clients to my servers, being able to resolve uidNumber collisions when I'm not in control of the AD I'm trying to use, supporting bare Kerberos trusts, allowing multiple GSSAuthNames (e.g., my AD account, Kerberos credentials from my home network KDC, my SAML account) to be recognized as the same user, etc. Room for growth. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Hi Jakub, Good to know about the patch. It's unfortunate I can get a faster and more detailed answer via the mailing list than GSS. Since I can't access the bugzilla, any idea if it's targeted at RHEL7 as well? /aron From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, July 16, 2014 2:19 AM To: Parsons, Aron Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 16 Jul 2014, at 03:29, Parsons, Aron parso...@bit-sys.com wrote: I ran into this issue last fall and have been running with a patched libnfsidmap since November while our support case with Red Hat waits on a resolution (pretty much have given up hope at this point). It's a trivial patch and removes the assumption that only one @ can be present in a username. With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled. We have experienced zero issues with this patch applied. Without it, the AD trust setup is a no-go in any sort of real environment since NFSv4 is broken. If you'd like to reference our support case, it's #00983906. Patch is included below. /aron Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6.. From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001 From: Aron Parsons parso...@bit-sys.com Date: Fri, 15 Nov 2013 14:43:10 -0500 Subject: [PATCH] account for usernames with @ in them --- libnfsidmap/nss.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c index 04aff19..f9ad4be 100644 --- a/libnfsidmap/nss.c +++ b/libnfsidmap/nss.c @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain) char *l = NULL; int len; - c = strchr(name, '@'); + c = strrchr(name, '@'); if (c == NULL domain != NULL) goto out; if (c == NULL domain == NULL) { -- 1.7.1 - Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. The reason is that rpcidmapd` does not parse fully-qualified usernames soadtest AD EXAMPLE o...@ipa.example.org does not work. The client-side code is stripping the domain off based on the location of the first @ character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of nobody. Regards, Johan From: Dmitri Pal [dpal redhat com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adtest AD h...@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest ad h...@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adtest ad h...@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: Thing is, nfsidmap always adds and then substracts '@' plus domain, assuming that the part prior to '@' is what going to be mapped by the domain-specific idmap mapper. That's the crux of the problem right there. Sssd is not a domain-specific idmap mapper. Sssd is a domain-aware, multidomain idmap mapper. Hence the first @. You are mixing different mappers and different layers. SSSD uses separator (set to '@' by default and enforced as '@' in IPA trusts mode) to automatically qualify users from non-primary domains. In case of IPA trusts this is enforced for trusted domains of IPA domain which are discovered automatically by IPA-specific means. SSSD, thus, exposes these names as normal system-wide user and group names, available to anyone performing NSS calls of the libc. NFS idmap layer does own optimization by internally presenting any NFS-provided name as name@domain and passing it to internal NFS idmap providers. idmap plugins then take this name@domain and perform own mapping. This has nothing to do with system-wide user names and it has nothing to do with on wire NFS protocol, it is particular NFS idmap library implementation detail. Note that libnfsidmap actually has two stacks of idmap modules, applied separately to NFSv4 domain names and to GSSAPI-authenticated names. While the same plugins are used in both cases, the use of 'nsswitch' plugin for GSSAPI-authenticated names is debatable without applying krb5_aname_to_localname() first, which nfs-utils doesn't even do. In other words, we have two different layers, dealing with different conceptual idmap approaches, and one of them is being used by the other. The latter (NFS idmap 'nsswitch' plugin) didn't expect that system-level names might include the same symbol '@'. Given that the NFS idmap-internal '@' is always appended to NFS-protocol provided name, splitting the resulting string on last '@' is the right thing to do to avoid clashes. What you get here by not adding the '@' to the name which contains '@' already is that wrong domain will be classified and then wrong name is passed to the system to ask for. The corollary of not adding the '@' is not subtracting it either. This would be a major change to NFS libnfsidmap library and while technically could be superior, it serves little value in this context. If sssd is the system service that deals with multidomain issues, then let it. The NFS idmapper doesn't need to add or subtract the @ and should pass it on to sssd, if it's interacting with sssd. One flag to the mapper (domain-aware-system=true), the internal linux only problems are solved internally, and the over the wire traffic is not broken in ways that break other clients (e.g., your patched system emits traffic which looks _exactly_ like the traditional-read-conforming NFS case to unpatched systems and other ground-up implementations). Breaking the protocol in a self-consistent way which excludes other platforms is a very Microsoft-like approach and makes me feel all dirty. Sometimes (not now) it's necessary as a band-aid/workaround, but this time the band-aid doesn't have to break things. :) As I said, there is no protocol, on wire or between libnfsidmap and lower OS levels, that requires special '@' handling. It is purely internal thing to libnfsidmap. The way it was treated was wrong from the beginning so I would argue the strrchr() fix is actually the proper fix rather than band-aid. I'd say the real solution, long term, is to point both sssd and the nfs idmapper at something like a umich_ldap server managed by freeipa. This has additional benefits like centralizing the idmapping in a way that's exportable to foreign organizations so they can be clients to my servers, being able to resolve uidNumber collisions when I'm not in control of the AD I'm trying to use, supporting bare Kerberos trusts, allowing multiple GSSAuthNames (e.g., my AD account, Kerberos credentials from my home network KDC, my SAML account) to be recognized as the same user, etc. Room for growth. We want to have specialized NFS idmap plugin to existing libnfsidmap that uses specialized SSSD API internally (the patch is on review on SSSD list, at least it was when I went to my vacation which I'm enjoying now:). Alternatively, we want to write a complete replacement of libnfsidmap given the knowledge we have at SSSD side. What is lacking here is the fact that with krb5 1.13 we also have way to dynamically plug into krb5_aname_to_localname() processing and get rid of static auth_to_local rules in krb5.conf for whole IPA domain and its trusted domains. In this scheme for GSSAPI-authenticated NFS names all what is needed to be done is krb5_aname_to_localname() call prior to use of 'nsswitch' plugin. The rest will be done by SSSD automatically and for all applications, not only NFS idmapper. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
I ran into this issue last fall and have been running with a patched libnfsidmap since November while our support case with Red Hat waits on a resolution (pretty much have given up hope at this point). It's a trivial patch and removes the assumption that only one @ can be present in a username. With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled. We have experienced zero issues with this patch applied. Without it, the AD trust setup is a no-go in any sort of real environment since NFSv4 is broken. If you'd like to reference our support case, it's #00983906. Patch is included below. /aron From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001 From: Aron Parsons parso...@bit-sys.com Date: Fri, 15 Nov 2013 14:43:10 -0500 Subject: [PATCH] account for usernames with @ in them --- libnfsidmap/nss.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c index 04aff19..f9ad4be 100644 --- a/libnfsidmap/nss.c +++ b/libnfsidmap/nss.c @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain) char *l = NULL; int len; - c = strchr(name, '@'); + c = strrchr(name, '@'); if (c == NULL domain != NULL) goto out; if (c == NULL domain == NULL) { -- 1.7.1 - Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. The reason is that rpcidmapd` does not parse fully-qualified usernames soadtest AD EXAMPLE o...@ipa.example.org does not work. The client-side code is stripping the domain off based on the location of the first @ character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of nobody. Regards, Johan From: Dmitri Pal [dpal redhat com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adtest AD h...@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adtest ad home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest ad h...@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adtest ad h...@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - name ad_users linux home The group ad_users is a IPA group with external maps from AD Domain users. -Original Message- From: Alexander Bokovoy [mailto:abokovoy redhat com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: dpal redhat com; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Fri, 2014-06-27 at 00:10 +, Nordgren, Bryce L -FS wrote: Also: http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 Never became an RFC, but cites Simo's I-D on a Kerberos PAC. I like the CITI approach better (also approach 2 of section 6 in the above I-D). I have no use for the groups defined in my active directory. Also, for the external collaboration case, my AD may not be accessible to an NFS server outside the firewall. However, if (?) support for an NFSRemoteUser schema is lacking in FreeIPA, and if AD is accessible to both client and server, it seems that approach 3 of section 6 above would be the answer? Somehow configure idmap.conf (on NFS clients and servers) to directly query AD? Does that seem correct? I honestly think (and gave this feedback to the authors in the past) that trying to standardize on LDAP in an NFS document is wrong, it should be implementation specific. I think NFS should define roughly how a mapping service should behave, but should not try to dictate how Directory services can/should be used, the variation and modes of use is just too big in the real world, and keeps changing. Moreover it is already incorrect to believe all identities can be resolved by contacting a single LDAP server (AD trusted forests as an example), and that the LDAP server can actually fully resolve group memberships (again AD, and even FreeIPA when trusting AD forests) without using custom operations possible only fully correct when run by the KDC (or other RPC service, again see AD). In the FreeIPA case for example we do not (normally) convey AD groups to the service and instead map (some of) them into FreeIPA external groups, a client that tries to query directly the AD service (assuming you have direct access which is often not true) would not get cross-realm group memberships as defined in the IPA server and would therefore cause issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
The second @ is not provided by kerberos, it is rpcimapd making false assumptions, it does a getpwuid and gets back adt...@ad.example.org as the username, to which it decides to slap on the local REALM name with an @ sign in between. I think this is something that may be handled with imapd.conf configuration. Muchas gracias. This makes sense. Found an old presentation on the topic [1]. Slide 15 is particularly relevant. Slide 4, however, taught me something I didn't know: NFS wants to deal with NFSv4 domain names (slide 3), which can be different than GSS principal names (Kerberos principals). There is only one NFS domain, but there can be multiple security realms and multiple DNS domains (slide 2). The crux of this is on slide 14: Need to add posixAccount with GSSAuthName for UID/GID mapping of remote user. Is this another use case for views? What I'm not quite clear on is the interaction between idmapd and ldap (slides 15,16,18). Does idmapd want to see this NFSv4RemoteUser schema on the LDAP server? Is this schema something that FreeIPA would have to support for NFS to work with cross-realm trusts? Or has the landscape changed since this 2005 presentation? Bryce [1] http://www.citi.umich.edu/projects/nfsv4/crossrealm/ASC_NFSv4_WKSHP_X_DOMAIN_N2ID.pdf This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 06/04/2014 09:57 AM, Johan Petersson wrote: Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adt...@ad.home@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adt...@ad.home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adt...@ad.home@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adt...@ad.home@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - name ad_us...@linux.home The group ad_users is a IPA group with external maps from AD Domain users. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map into domain 'linux.home,' Are you sure the message is exactly like this, with a comma after linux.home? The reason I'm asking is because the code that prints the message looks like this: localname = strip_domain(name, domain); IDMAP_LOG(4, (nss_getpwnam: name '%s' domain '%s': resulting localname '%s'\n, name, domain, localname)); if (localname == NULL) { IDMAP_LOG(0, (nss_getpwnam: name '%s' does not map into domain '%s'\n, name, domain ? domain : not-provided)); goto err_free_buf; } note that it doesn't have comma anywhere in the string printed. Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.homemailto:adt...@ad.home uid=497801107(adt...@ad.homemailto:adt...@ad.home) gid=497801107(adt...@ad.homemailto:adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home ),497800513(domain us...@ad.homemailto:us...@ad.home) getent passwd adt...@ad.homemailto:adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.homemailto:adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.home uid=497801107(adt...@ad.home) gid=497801107(adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domain us...@ad.home) getent passwd adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt...@ad.home@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.h...@linux.home renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/linux.h...@ad.home renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.orgmailto:adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
I found one clue to the issue and as i thought it has to do with m From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.homemailto:adt...@ad.home uid=497801107(adt...@ad.homemailto:adt...@ad.home) gid=497801107(adt...@ad.homemailto:adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain us...@ad.homemailto:us...@ad.home) getent passwd adt...@ad.homemailto:adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.homemailto:adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.orgmailto:adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map into domain 'linux.home,' From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.homemailto:adt...@ad.home uid=497801107(adt...@ad.homemailto:adt...@ad.home) gid=497801107(adt...@ad.homemailto:adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain us...@ad.homemailto:us...@ad.home) getent passwd adt...@ad.homemailto:adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.homemailto:adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.orgmailto:adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Wed, Jun 04, 2014 at 12:24:11PM +, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map into domain 'linux.home,' Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I'll check the nfsidmap code to see how/if it can handle trusted domains. bye, Sumit From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.homemailto:adt...@ad.home uid=497801107(adt...@ad.homemailto:adt...@ad.home) gid=497801107(adt...@ad.homemailto:adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain us...@ad.homemailto:us...@ad.home) getent passwd adt...@ad.homemailto:adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.homemailto:adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.orgmailto:adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Wed, 04 Jun 2014, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map into domain 'linux.home,' Are you sure the message is exactly like this, with a comma after linux.home? The reason I'm asking is because the code that prints the message looks like this: localname = strip_domain(name, domain); IDMAP_LOG(4, (nss_getpwnam: name '%s' domain '%s': resulting localname '%s'\n, name, domain, localname)); if (localname == NULL) { IDMAP_LOG(0, (nss_getpwnam: name '%s' does not map into domain '%s'\n, name, domain ? domain : not-provided)); goto err_free_buf; } note that it doesn't have comma anywhere in the string printed. Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.homemailto:adt...@ad.home uid=497801107(adt...@ad.homemailto:adt...@ad.home) gid=497801107(adt...@ad.homemailto:adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain us...@ad.homemailto:us...@ad.home) getent passwd adt...@ad.homemailto:adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.homemailto:adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.orgmailto:adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Are those computers
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adt...@ad.home@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adt...@ad.home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adt...@ad.home@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch-name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch-uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name adt...@ad.home@linux.home Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch-gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - name ad_us...@linux.home The group ad_users is a IPA group with external maps from AD Domain users. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map into domain 'linux.home,' Are you sure the message is exactly like this, with a comma after linux.home? The reason I'm asking is because the code that prints the message looks like this: localname = strip_domain(name, domain); IDMAP_LOG(4, (nss_getpwnam: name '%s' domain '%s': resulting localname '%s'\n, name, domain, localname)); if (localname == NULL) { IDMAP_LOG(0, (nss_getpwnam: name '%s' does not map into domain '%s'\n, name, domain ? domain : not-provided)); goto err_free_buf; } note that it doesn't have comma anywhere in the string printed. Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adt...@ad.homemailto:adt...@ad.home uid=497801107(adt...@ad.homemailto:adt...@ad.home) gid=497801107(adt...@ad.homemailto:adt...@ad.home) groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home ),497800513(domain us...@ad.homemailto:us...@ad.home) getent passwd adt...@ad.homemailto:adt...@ad.home adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adt...@ad.homemailto:adt...@ad.home [root@client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adt...@ad.homemailto:adt...@ad.home Valid starting ExpiresService principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adt
[Freeipa-users] IPA+AD trust and NFS nobody issue
Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adt...@adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get nobody as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. /This e-mail is private and confidential between the sender and the addressee. / /In the event of misdirection, the recipient is prohibited from using, copying or / /disseminating it or any information in it. Please notify the above if any misdirection./ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA / AD Trust
Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA / AD Trust
On 03/14/2014 03:20 PM, Todd Maugh wrote: Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users IPA 3.3.x + SSSD 1.11.x It is release upstream and in Fedora. Will be a part of RHEL7 release. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
On 02/04/2014 03:28 PM, Steve Dainard wrote: has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve Can you please file a BZ? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
https://bugzilla.redhat.com/show_bug.cgi?id=1061897 *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* 519-513-2407 ex.250 877-646-8476 (toll-free) *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Wed, Feb 5, 2014 at 12:34 PM, Dmitri Pal d...@redhat.com wrote: On 02/04/2014 03:28 PM, Steve Dainard wrote: has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve Can you please file a BZ? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Ipa AD trust
Hi List , I want an update on this bug . https://bugzilla.samba.org/show_bug.cgi?id=9618 Thanks Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ipa AD trust
On Fri, Jan 24, 2014 at 04:32:33PM +, Zulkifal Ahmad wrote: Hi List , I want an update on this bug . https://bugzilla.samba.org/show_bug.cgi?id=9618 I just re-tested with the python script from the ticket and Samba-4.1.3 and it seems to be fixed. HTH bye, Sumit Thanks Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) Thanks Zulkifal Ahmad On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * Best Regards Sahibzada .Z. Ahmad System Administrator cell: 1(678)267-0265 (US) cell: 1(647)339-5434 (Canada) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
On Thu, 23 Jan 2014, Zulkifal Ahmad wrote: Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) Add 'log level = 100' to /usr/share/ipa/smb.conf.empty in [global] section and try again. You'll get SMB traffic debugging in /var/log/httpd/error_log. Adding and removing 'log level = 100' to /usr/share/ipa/smb.conf.empty does not require restarting httpd. Thanks Zulkifal Ahmad On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * Best Regards Sahibzada .Z. Ahmad System Administrator cell: 1(678)267-0265 (US) cell: 1(647)339-5434 (Canada) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). Thank you very much Kevin Tang From: Alexander Bokovoy aboko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 12:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. Actually you can use default_domain_suffix in the [sssd] section. But then you need to fully-qualify the users from the IPA domain. default_domain_suffix (string) This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well. Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. u...@domain.name, to log in. Default: not set ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, Understand, thank you very much. Kevin. From: Alexander Bokovoy aboko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 02:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA AD Trust issue
Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? Thanks all Kevin Tang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD trust question
On 05/31/2013 09:37 AM, Sumit Bose wrote: On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: Hi List, I have a question - is it possible to use AD trust the way that: 1. All users are stored in AD 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are stored in IPA? Yes, sudo and HBAC for sure, I haven't tested automount maps but so far I can see no issues. If yes then: 1. Will this scenario honour the RFC2307 user attributes in AD? We are trying to support RFC2307 attributes in AD with the next releases for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the AD user's RID is available. Ondreji, this is by the way the upstream ticket under which this feature is being implemented (in case you want to follow it): https://fedorahosted.org/freeipa/ticket/2904 There are other tickets targeted on AD cooperation in FreeIPA 3.3 release (https://fedorahosted.org/freeipa/report/3), you may also want to check that they address your needs (and provide comments if they don't). We are still in a design phase, so some amendments are possible. Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users