[Freeipa-users] Fwd: nfsnobody with ubuntu 14.04 in trusted relationship with AD
Hello, Did you received my last post? Maybe I've missed something because I can't see my post on the forum. -- Forwarded message -- From: Domineaux Philippe <pdomine...@gmail.com> Date: 2016-02-10 18:03 GMT+01:00 Subject: [Freeipa-users] nfsnobody with ubuntu 14.04 in trusted relationship with AD To: freeipa-users@redhat.com Hello all, I have several virtual machines ( on virtualbox ) running freeipa-client and freeipa-server in a trust domain relationship with an Active Directory (AD) also on a virtual machine. Here is the details of the machines : ### Freeipa-server : - Centos 7.2 - ipa-server-install 4.2.0 ### client1 : - centos 7.2 - ipa-client-install 4.2.0 ### Nfs-server : - centos 7.2 - ipa-client-install 4.2.0 ### Client2 : - Ubuntu 14.04 (trusty) - ipa-client-install 3.3.4 also try the unofficial 4.0.x backport ( https://launchpad.net/~freeipa/+archive/ubuntu/4.0) Everything works fine except for the ubuntu client and the nfs mount : - I can mount the share using ""-o sec=krb5" option but the owner of the folders is nobody. It seems just a display error because the permissions on the files are good. user1 cannot write on the folder of user2 and vice versa. If I mount without kinit I get this (syslog ubuntu client): Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 0 Feb 10 17:09:38 client2 kernel: [ 2709.796390] NFS: Registering the id_resolver key type Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_resolver registered Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_legacy registered Feb 10 17:09:38 client2 rpc.idmapd[417]: Opened /run/rpc_pipefs/nfs/clnt0/idmap Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 1 Feb 10 17:09:38 client2 nfsidmap[2714]: key: 0x261c251d type: uid value: root@ipa.local timeout 600 Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: calling nsswitch->name_to_uid Feb 10 17:09:38 client2 nfsidmap[2714]: nss_getpwnam: name 'root@ipa.local' domain 'ipa.local': resulting localname 'root' Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: final return value is 0 Feb 10 17:09:38 client2 nfsidmap[2716]: key: 0x314352bb type: gid value: root@ipa.local timeout 600 Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: calling nsswitch->name_to_gid Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: final return value is 0 Feb 10 17:09:55 client2 nfsidmap[2722]: key: 0x29600d2b type: uid value: adipa@domino.local@ipa.local timeout 600 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling nsswitch->name_to_uid Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'adipa@domino.local@ipa.local' domain 'ipa.local': resulting localname '(null)' Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'adipa@domino.local@ipa.local' does not map into domain 'ipa.local' Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return value is -22 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling nsswitch->name_to_uid Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'nobody@ipa.local' domain 'ipa.local': resulting localname 'nobody' Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return value is 0 Feb 10 17:09:55 client2 nfsidmap[2724]: key: 0x398852c2 type: gid value: posix_users@domino.local@ipa.local timeout 600 Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling nsswitch->name_to_gid Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: final return value is -22 Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling nsswitch->name_to_gid Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: nsswitch->name_to_gid returned -2 Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: final return value is -2 But if I mount with let's say kinit admin no logs in the syslog file of the ubuntu client. Another thing is, when mounting on both clients (ubuntu and centos), the NFS server output : "nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found" But it works for the centos but not for the ubuntu. ### NFS server logs for client 2 (Ubuntu) : Feb 10 17:30:01 nfsserver systemd: Created slice user-0.slice. Feb 10 17:30:01 nfsserver systemd: Starting user-0.slice. Feb 10 17:30:01 nfsserver systemd: Started Session 14 of user root. Feb 10 17:30:01 nfsserver systemd: Starting Sessio
[Freeipa-users] nfsnobody with ubuntu 14.04 in trusted relationship with AD
Hello all, I have several virtual machines ( on virtualbox ) running freeipa-client and freeipa-server in a trust domain relationship with an Active Directory (AD) also on a virtual machine. Here is the details of the machines : ### Freeipa-server : - Centos 7.2 - ipa-server-install 4.2.0 ### client1 : - centos 7.2 - ipa-client-install 4.2.0 ### Nfs-server : - centos 7.2 - ipa-client-install 4.2.0 ### Client2 : - Ubuntu 14.04 (trusty) - ipa-client-install 3.3.4 also try the unofficial 4.0.x backport ( https://launchpad.net/~freeipa/+archive/ubuntu/4.0) Everything works fine except for the ubuntu client and the nfs mount : - I can mount the share using ""-o sec=krb5" option but the owner of the folders is nobody. It seems just a display error because the permissions on the files are good. user1 cannot write on the folder of user2 and vice versa. If I mount without kinit I get this (syslog ubuntu client): Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 0 Feb 10 17:09:38 client2 kernel: [ 2709.796390] NFS: Registering the id_resolver key type Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_resolver registered Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_legacy registered Feb 10 17:09:38 client2 rpc.idmapd[417]: Opened /run/rpc_pipefs/nfs/clnt0/idmap Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 1 Feb 10 17:09:38 client2 nfsidmap[2714]: key: 0x261c251d type: uid value: root@ipa.local timeout 600 Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: calling nsswitch->name_to_uid Feb 10 17:09:38 client2 nfsidmap[2714]: nss_getpwnam: name 'root@ipa.local' domain 'ipa.local': resulting localname 'root' Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: final return value is 0 Feb 10 17:09:38 client2 nfsidmap[2716]: key: 0x314352bb type: gid value: root@ipa.local timeout 600 Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: calling nsswitch->name_to_gid Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: final return value is 0 Feb 10 17:09:55 client2 nfsidmap[2722]: key: 0x29600d2b type: uid value: adipa@domino.local@ipa.local timeout 600 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling nsswitch->name_to_uid Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'adipa@domino.local@ipa.local' domain 'ipa.local': resulting localname '(null)' Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'adipa@domino.local@ipa.local' does not map into domain 'ipa.local' Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return value is -22 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling nsswitch->name_to_uid Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'nobody@ipa.local' domain 'ipa.local': resulting localname 'nobody' Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return value is 0 Feb 10 17:09:55 client2 nfsidmap[2724]: key: 0x398852c2 type: gid value: posix_users@domino.local@ipa.local timeout 600 Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling nsswitch->name_to_gid Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: final return value is -22 Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling nsswitch->name_to_gid Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: nsswitch->name_to_gid returned -2 Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: final return value is -2 But if I mount with let's say kinit admin no logs in the syslog file of the ubuntu client. Another thing is, when mounting on both clients (ubuntu and centos), the NFS server output : "nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found" But it works for the centos but not for the ubuntu. ### NFS server logs for client 2 (Ubuntu) : Feb 10 17:30:01 nfsserver systemd: Created slice user-0.slice. Feb 10 17:30:01 nfsserver systemd: Starting user-0.slice. Feb 10 17:30:01 nfsserver systemd: Started Session 14 of user root. Feb 10 17:30:01 nfsserver systemd: Starting Session 14 of user root. Feb 10 17:30:01 nfsserver systemd: Removed slice user-0.slice. Feb 10 17:30:01 nfsserver systemd: Stopping user-0.slice. Feb 10 17:30:21 nfsserver rpc.gssd[756]: Closing 'gssd' pipe for /var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt5 Feb 10 17:30:21 nfsserver rpc.gssd[756]: destroying client /var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt5 Feb 10 17:30:21 nfsserver rpc.gssd[756]: handling gssd upcall
[Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec
Hello, Happy new year. So the content of my /etc/locale.conf : LANG="fr_FR.UTF-8" -- Forwarded message -- From: Fraser TweedaleDate: 2015-12-23 5:11 GMT+01:00 Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte with utf8 codec To: Gmail Cc: freeipa-users@redhat.com On Tue, Dec 22, 2015 at 08:39:09AM +0100, Gmail wrote: > Here are the files you ask for: > Thank you. I see Tomcat is running in an fr_FR locale. Could you also provide contents of `/etc/locale.conf'? Cheers, Fraser > > > Le 22 décembre 2015 à 02:30:06, Fraser Tweedale (ftwee...@redhat.com) a écrit: > > On Mon, Dec 21, 2015 at 05:29:01PM +0100, Gmail wrote: > > Hi all, > > > > When trying to install on a fresh new Centos 7 I’ve got this error : > > > > 2015-12-21T16:04:44Z DEBUG The ipa-server-install command failed, exception: NetworkError: cannot connect to ' https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't decode byte 0xea in position 13: invalid continuation byte > > 2015-12-21T16:04:44Z ERROR cannot connect to ' https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't decode byte 0xea in position 13: invalid continuation byte > > > > My freeipa-server version is : 4.2.0 > > I’m running a Centos 3.10.0-327.3.1.el7.x86_64 > > > > Any idea of what goes wrong? > > > Thanks for reporting. I have not seen this error before. Could you > please include the following log files and I will take a closer > look: > > /var/log/ipaserver-install.log > /var/log/pki/pki-tomcat/ca/debug > > Cheers, > Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory Integration and limitations
Thank you for your answer but ... 2015-11-23 16:36 GMT+01:00 Simo Sorce <s...@redhat.com>: > On Wed, 2015-11-18 at 11:46 +0100, Domineaux Philippe wrote: > > Here is my environment : > > > > 1 Windows Domain > > Windows workstations > > Windows servers > > Multiple linux domains > > Linux workstations > > Linux servers > > > > Here is my goal : > > > > All users are centralized in the Active Directory. > > Users will authenticate on linux workstations with their AD accounts ( > > using POSIX attributes). > > Linux workstations must have access to NFS shares on Linux servers. > > Hi Domineaux, > you should look into setting up FreeIPA with a trust relationship to the > Windows Domain. > > That's already the case, I use the Trust relationship with POSIX attributes. > > What are the limitations ? > > It is hard to say what kind of limitations you are interested into, when > we trust AD, then AD users can access Linux machines, one limitation (if > you think it is a limitation) is that AD users will have fully qualified > names on the host (example: u...@ad.example.com) and not just flat names > to avoid name clashes between ipa users, local users and AD users. > > I'm ok with the use of fully qualified names, I use it to log in to my workstations. > > Windows users equals ipa users in term of services ? > > Yes. > > > Do I have to configure kerberos to also join directly the Windows > Kerberos > > Realm, > > or will IPA do the job to ask Windows server ? > > If you set up a trust between servers all is taken care of for you wrt > clients. > > > in etc/krb5.conf : > > > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > > [libdefaults] > > default_realm = IPA.ORG > > dns_lookup_realm = true > > dns_lookup_kdc = true > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > udp_preference_limit = 0 > > default_ccache_name = KEYRING:persistent:%{uid} > > canonicalize = yes > > allow_weak_crypto = true > > > > [realms] > > IPA.ORG = { > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > auth_to_local = RULE:[1:$1@ > > $0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/ > > auth_to_local = DEFAULT > > > > } > > > > ### IS THIS NECESSARY > > WINDOMAIN.LOCAL = { > >kdc = srvadipa.windomain.local > >admin_server = srvadipa.windomain.local > > } > > > > > > [domain_realm] > > .ipa.org = IPA.ORG > > ipa.org = IPA.ORG > > > > ### IS THIS NECESSARY > > > > .windomain.local = WINDOMAIN.LOCAL > > windomain.local = WINDOMAIN.LOCAL > > It depends on what client you are using, older RHEL may need this, newer > ones have an include directory in krb5.conf and sssd generates > appropriate configuration automatically based on server configuration. > > > Is the bug in libnfsidmap still active and prevents Windows users to > access > > to NFS4 krb5 secured shared folder ? > > I am not sure what bug you refer to. You may need to configure nfs > client nfs idmap, but I am not aware of bugs that will prevent it from > working right if properly configured. > > The bug specified below return me this on the NFS server (part of the ipa domain ) : Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5 authtype=user Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (user) id "65081" -> name "test...@ipa.org" Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5 authtype=group Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (group) id "65081" -> name "test...@ipa.org" Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5 authtype=user Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (user) id "65534" -> name "nfsnob...@ipa.org" Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5 authtype=group Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (group) id "65534" -> name "nfsnob...@ipa.org" Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5 authtype=user Nov 17 15:12:33 centos-nfs rpc.idmapd[6237]: nfsdcb: authbuf=gss/krb5 authtype=user Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (user) id "10002" -> name "adipa@windomain.lo...@ipa.org" Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5 authtype=group Nov 17 15:12:33 centos-nfs rpc.idmapd[6237]: nfs4_uid_to_name: calling nsswitch->uid_to_name Nov 17 15:
[Freeipa-users] Active Directory Integration and limitations
Here is my environment : 1 Windows Domain Windows workstations Windows servers Multiple linux domains Linux workstations Linux servers Here is my goal : All users are centralized in the Active Directory. Users will authenticate on linux workstations with their AD accounts ( using POSIX attributes). Linux workstations must have access to NFS shares on Linux servers. What are the limitations ? Windows users equals ipa users in term of services ? Do I have to configure kerberos to also join directly the Windows Kerberos Realm, or will IPA do the job to ask Windows server ? in etc/krb5.conf : includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.ORG dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} canonicalize = yes allow_weak_crypto = true [realms] IPA.ORG = { pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@ $0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/ auth_to_local = DEFAULT } ### IS THIS NECESSARY WINDOMAIN.LOCAL = { kdc = srvadipa.windomain.local admin_server = srvadipa.windomain.local } [domain_realm] .cosmo.org = COSMO.ORG cosmo.org = COSMO.ORG ### IS THIS NECESSARY .windomain.local = WINDOMAIN.LOCAL windomain.local = WINDOMAIN.LOCAL Is the bug in libnfsidmap still active and prevents Windows users to access to NFS4 krb5 secured shared folder ? I currently have bug here: https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project