[Freeipa-users] Fwd: nfsnobody with ubuntu 14.04 in trusted relationship with AD

[Domineaux Philippe]

Hello,

Did you received my last post? Maybe I've missed something because I can't
see my post on the forum.

-- Forwarded message --
From: Domineaux Philippe <pdomine...@gmail.com>
Date: 2016-02-10 18:03 GMT+01:00
Subject: [Freeipa-users] nfsnobody with ubuntu 14.04 in trusted
relationship with AD
To: freeipa-users@redhat.com


Hello all,

I have several virtual machines ( on virtualbox ) running freeipa-client
and
freeipa-server in a trust domain relationship with an Active Directory (AD)
also
on a virtual machine.

Here is the details of the machines :

### Freeipa-server :
- Centos 7.2
- ipa-server-install 4.2.0

### client1 :
- centos 7.2
- ipa-client-install 4.2.0

### Nfs-server :
- centos 7.2
- ipa-client-install 4.2.0

### Client2 :
- Ubuntu 14.04 (trusty)
- ipa-client-install 3.3.4
also try the unofficial 4.0.x backport (
https://launchpad.net/~freeipa/+archive/ubuntu/4.0)

Everything works fine except for the ubuntu client and the nfs mount :

- I can mount the share using ""-o sec=krb5" option but the owner of the
folders is nobody. It seems just a display error because the permissions on
the files are good.
user1 cannot write on the folder of user2 and vice versa.


If I mount without kinit I get this (syslog ubuntu client):

Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 0
Feb 10 17:09:38 client2 kernel: [ 2709.796390] NFS: Registering the
id_resolver key type
Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_resolver
registered
Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_legacy registered
Feb 10 17:09:38 client2 rpc.idmapd[417]: Opened
/run/rpc_pipefs/nfs/clnt0/idmap
Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 1
Feb 10 17:09:38 client2 nfsidmap[2714]: key: 0x261c251d type: uid value:
root@ipa.local timeout 600
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:38 client2 nfsidmap[2714]: nss_getpwnam: name 'root@ipa.local'
domain 'ipa.local': resulting localname 'root'
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: final return
value is 0
Feb 10 17:09:38 client2 nfsidmap[2716]: key: 0x314352bb type: gid value:
root@ipa.local timeout 600
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: final return
value is 0
Feb 10 17:09:55 client2 nfsidmap[2722]: key: 0x29600d2b type: uid value:
adipa@domino.local@ipa.local timeout 600
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name
'adipa@domino.local@ipa.local' domain 'ipa.local': resulting localname
'(null)'
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name
'adipa@domino.local@ipa.local' does not map into domain 'ipa.local'
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return
value is -22
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'nobody@ipa.local'
domain 'ipa.local': resulting localname 'nobody'
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return
value is 0
Feb 10 17:09:55 client2 nfsidmap[2724]: key: 0x398852c2 type: gid value:
posix_users@domino.local@ipa.local timeout 600
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: final return
value is -22
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -2
Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: final return
value is -2


But if I mount with let's say kinit admin no logs in the syslog file of the
ubuntu client.



Another thing is, when mounting on both clients (ubuntu and centos), the
NFS server output :

"nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1 2 2 })
Unspecified GSS failure.  Minor code may provide more information, No
credentials cache found"
But it works for the centos but not for the ubuntu.


### NFS server logs for client 2 (Ubuntu) :

Feb 10 17:30:01 nfsserver systemd: Created slice user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Starting user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Started Session 14 of user root.
Feb 10 17:30:01 nfsserver systemd: Starting Sessio

[Freeipa-users] nfsnobody with ubuntu 14.04 in trusted relationship with AD

[Domineaux Philippe]

Hello all,

I have several virtual machines ( on virtualbox ) running freeipa-client
and
freeipa-server in a trust domain relationship with an Active Directory (AD)
also
on a virtual machine.

Here is the details of the machines :

### Freeipa-server :
- Centos 7.2
- ipa-server-install 4.2.0

### client1 :
- centos 7.2
- ipa-client-install 4.2.0

### Nfs-server :
- centos 7.2
- ipa-client-install 4.2.0

### Client2 :
- Ubuntu 14.04 (trusty)
- ipa-client-install 3.3.4
also try the unofficial 4.0.x backport (
https://launchpad.net/~freeipa/+archive/ubuntu/4.0)

Everything works fine except for the ubuntu client and the nfs mount :

- I can mount the share using ""-o sec=krb5" option but the owner of the
folders is nobody. It seems just a display error because the permissions on
the files are good.
user1 cannot write on the folder of user2 and vice versa.


If I mount without kinit I get this (syslog ubuntu client):

Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 0
Feb 10 17:09:38 client2 kernel: [ 2709.796390] NFS: Registering the
id_resolver key type
Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_resolver
registered
Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_legacy registered
Feb 10 17:09:38 client2 rpc.idmapd[417]: Opened
/run/rpc_pipefs/nfs/clnt0/idmap
Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 1
Feb 10 17:09:38 client2 nfsidmap[2714]: key: 0x261c251d type: uid value:
root@ipa.local timeout 600
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:38 client2 nfsidmap[2714]: nss_getpwnam: name 'root@ipa.local'
domain 'ipa.local': resulting localname 'root'
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: final return
value is 0
Feb 10 17:09:38 client2 nfsidmap[2716]: key: 0x314352bb type: gid value:
root@ipa.local timeout 600
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: final return
value is 0
Feb 10 17:09:55 client2 nfsidmap[2722]: key: 0x29600d2b type: uid value:
adipa@domino.local@ipa.local timeout 600
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name
'adipa@domino.local@ipa.local' domain 'ipa.local': resulting localname
'(null)'
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name
'adipa@domino.local@ipa.local' does not map into domain 'ipa.local'
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return
value is -22
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'nobody@ipa.local'
domain 'ipa.local': resulting localname 'nobody'
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return
value is 0
Feb 10 17:09:55 client2 nfsidmap[2724]: key: 0x398852c2 type: gid value:
posix_users@domino.local@ipa.local timeout 600
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: final return
value is -22
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -2
Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: final return
value is -2


But if I mount with let's say kinit admin no logs in the syslog file of the
ubuntu client.



Another thing is, when mounting on both clients (ubuntu and centos), the
NFS server output :

"nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1 2 2 })
Unspecified GSS failure.  Minor code may provide more information, No
credentials cache found"
But it works for the centos but not for the ubuntu.


### NFS server logs for client 2 (Ubuntu) :

Feb 10 17:30:01 nfsserver systemd: Created slice user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Starting user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Started Session 14 of user root.
Feb 10 17:30:01 nfsserver systemd: Starting Session 14 of user root.
Feb 10 17:30:01 nfsserver systemd: Removed slice user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Stopping user-0.slice.
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Closing 'gssd' pipe for
/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt5
Feb 10 17:30:21 nfsserver rpc.gssd[756]: destroying client
/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt5
Feb 10 17:30:21 nfsserver rpc.gssd[756]: handling gssd upcall

[Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec

[Domineaux Philippe]

Hello,

Happy new year.

So the content of my /etc/locale.conf :

LANG="fr_FR.UTF-8"

-- Forwarded message --
From: Fraser Tweedale 
Date: 2015-12-23 5:11 GMT+01:00
Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte with
utf8 codec
To: Gmail 
Cc: freeipa-users@redhat.com


On Tue, Dec 22, 2015 at 08:39:09AM +0100, Gmail wrote:
> Here are the files you ask for:
>
Thank you.  I see Tomcat is running in an fr_FR locale. Could you
also provide contents of `/etc/locale.conf'?

Cheers,
Fraser

>
>
> Le 22 décembre 2015 à 02:30:06, Fraser Tweedale (ftwee...@redhat.com) a
écrit:
>
> On Mon, Dec 21, 2015 at 05:29:01PM +0100, Gmail wrote:
> > Hi all,
> >
> > When trying to install on a fresh new Centos 7 I’ve got this error :
> >
> > 2015-12-21T16:04:44Z DEBUG The ipa-server-install command failed,
exception: NetworkError: cannot connect to '
https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't
decode byte 0xea in position 13: invalid continuation byte
> > 2015-12-21T16:04:44Z ERROR cannot connect to '
https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't
decode byte 0xea in position 13: invalid continuation byte
> >
> > My freeipa-server version is :  4.2.0
> > I’m running a Centos 3.10.0-327.3.1.el7.x86_64
> >
> > Any idea of what goes wrong?
> >
> Thanks for reporting. I have not seen this error before. Could you
> please include the following log files and I will take a closer
> look:
>
> /var/log/ipaserver-install.log
> /var/log/pki/pki-tomcat/ca/debug
>
> Cheers,
> Fraser
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory Integration and limitations

[Domineaux Philippe]

Thank you for your answer but ...

2015-11-23 16:36 GMT+01:00 Simo Sorce <s...@redhat.com>:

> On Wed, 2015-11-18 at 11:46 +0100, Domineaux Philippe wrote:
> > Here is my environment :
> >
> > 1 Windows Domain
> > Windows workstations
> > Windows servers
> > Multiple linux domains
> > Linux workstations
> > Linux servers
> >
> > Here is my goal :
> >
> > All users are centralized in the Active Directory.
> > Users will authenticate on linux workstations with their AD accounts (
> > using POSIX attributes).
> > Linux workstations must have access to NFS shares on Linux servers.
>
> Hi Domineaux,
> you should look into setting up FreeIPA with a trust relationship to the
> Windows Domain.
>
>
That's already the case, I use the Trust relationship with POSIX attributes.


> > What are the limitations ?
>
> It is hard to say what kind of limitations you are interested into, when
> we trust AD, then AD users can access Linux machines, one limitation (if
> you think it is a limitation) is that AD users will have fully qualified
> names on the host (example: u...@ad.example.com) and not just flat names
> to avoid name clashes between ipa users, local users and AD users.
>
>
I'm ok with the use of fully qualified names, I use it to log in to my
workstations.


> > Windows users equals ipa users in term of services ?
>
> Yes.
>
> > Do I have to configure kerberos to also join directly the Windows
> Kerberos
> > Realm,
> > or will IPA do the job to ask Windows server ?
>
> If you set up a trust between servers all is taken care of for you wrt
> clients.
>
> > in etc/krb5.conf :
> >
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [libdefaults]
> >   default_realm = IPA.ORG
> >   dns_lookup_realm = true
> >   dns_lookup_kdc = true
> >   rdns = false
> >   ticket_lifetime = 24h
> >   forwardable = yes
> >   udp_preference_limit = 0
> >   default_ccache_name = KEYRING:persistent:%{uid}
> >   canonicalize = yes
> >   allow_weak_crypto = true
> >
> > [realms]
> >   IPA.ORG = {
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > auth_to_local = RULE:[1:$1@
> > $0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/
> > auth_to_local = DEFAULT
> >
> >   }
> >
> > ### IS THIS NECESSARY
> > WINDOMAIN.LOCAL = {
> >kdc = srvadipa.windomain.local
> >admin_server = srvadipa.windomain.local
> > }
> >
> >
> > [domain_realm]
> >   .ipa.org = IPA.ORG
> >   ipa.org = IPA.ORG
> >
> > ### IS THIS NECESSARY
> >
> >   .windomain.local = WINDOMAIN.LOCAL
> >   windomain.local = WINDOMAIN.LOCAL
>
> It depends on what client you are using, older RHEL may need this, newer
> ones have an include directory in krb5.conf and sssd generates
> appropriate configuration automatically based on server configuration.
>
> > Is the bug in libnfsidmap still active and prevents Windows users to
> access
> > to NFS4 krb5 secured shared folder ?
>
> I am not sure what bug you refer to. You may need to configure nfs
> client nfs idmap, but I am not aware of bugs that will prevent it from
> working right if properly configured.
>
>
The bug specified below return me this on the NFS server (part of the ipa
domain ) :

Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5
authtype=user
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (user) id "65081"
-> name "test...@ipa.org"
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5
authtype=group
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (group) id
"65081" -> name "test...@ipa.org"
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5
authtype=user
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (user) id "65534" ->
name "nfsnob...@ipa.org"
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5
authtype=group
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (group) id "65534" ->
name "nfsnob...@ipa.org"
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5
authtype=user
Nov 17 15:12:33 centos-nfs rpc.idmapd[6237]: nfsdcb: authbuf=gss/krb5
authtype=user
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: Server : (user) id "10002" ->
name "adipa@windomain.lo...@ipa.org"
Nov 17 15:12:33 centos-nfs rpc.idmapd[4823]: nfsdcb: authbuf=gss/krb5
authtype=group
Nov 17 15:12:33 centos-nfs rpc.idmapd[6237]: nfs4_uid_to_name: calling
nsswitch->uid_to_name
Nov 17 15:

[Freeipa-users] Active Directory Integration and limitations

[Domineaux Philippe]

Here is my environment :

1 Windows Domain
Windows workstations
Windows servers
Multiple linux domains
Linux workstations
Linux servers

Here is my goal :

All users are centralized in the Active Directory.
Users will authenticate on linux workstations with their AD accounts (
using POSIX attributes).
Linux workstations must have access to NFS shares on Linux servers.


What are the limitations ?
Windows users equals ipa users in term of services ?

Do I have to configure kerberos to also join directly the Windows Kerberos
Realm,
or will IPA do the job to ask Windows server ?

in etc/krb5.conf :

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.ORG
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
  canonicalize = yes
  allow_weak_crypto = true

[realms]
  IPA.ORG = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@
$0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/
auth_to_local = DEFAULT

  }

### IS THIS NECESSARY
WINDOMAIN.LOCAL = {
   kdc = srvadipa.windomain.local
   admin_server = srvadipa.windomain.local
}


[domain_realm]
  .cosmo.org = COSMO.ORG
  cosmo.org = COSMO.ORG

### IS THIS NECESSARY

  .windomain.local = WINDOMAIN.LOCAL
  windomain.local = WINDOMAIN.LOCAL




Is the bug in libnfsidmap still active and prevents Windows users to access
to
NFS4 krb5 secured shared folder ?

I currently have

bug here:
https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project