Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-10-01 Thread Alexander Bokovoy 

On Wed, 30 Sep 2015, Sadettin Albasan wrote:

Here is a list of installed sssd packages:

sssd-client-1.12.4-47.el6.x86_64
sssd-common-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-tools-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64

Thanks.

My apologies, we checked with Sumit and apparently, SSSD in RHEL 6.7 was
built without support for NFS idmap module.

Can you check if using CentOS 7 client and server for NFS would work?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-09-30 Thread Sadettin Albasan 
Here is a list of installed sssd packages:

sssd-client-1.12.4-47.el6.x86_64
sssd-common-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-tools-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64


On 30 September 2015 at 13:18, Sadettin Albasan  wrote:

> I get this error when putting sss into method even after upgrading my
> systems to centos 6.7
>
> Shutting down NFS daemon:  [  OK  ]
> Shutting down NFS mountd:  [  OK  ]
> Shutting down NFS services:[  OK  ]
> Shutting down RPC svcgssd: [  OK  ]
> Shutting down RPC idmapd:  [  OK  ]
> Starting RPC svcgssd:  [  OK  ]
> Starting NFS services: [  OK  ]
> Starting NFS mountd:   [  OK  ]
> Starting NFS daemon:   [  OK  ]
> Starting RPC idmapd: rpc.idmapd: libnfsidmap: requested translation
> method, 'sss', is not available
>
> rpc.idmapd: Unable to create name to user id mappings.
>[FAILED]
>
>
> On 30 September 2015 at 09:46, Alexander Bokovoy 
> wrote:
>
>> On Wed, 30 Sep 2015, Sadettin Albasan wrote:
>>
>>> *idmap.conf for NFS Server:*
>>>
>>>
>>> [General]
>>> #Verbosity = 0
>>> # The following should be set to the local NFSv4 domain name
>>> # The default is the host's DNS domain name.
>>> #Domain = local.domain.edu
>>>
>>> # The following is a comma-separated list of Kerberos realm
>>> # names that should be considered to be equivalent to the
>>> # local realm, such that @REALM.A can be assumed to
>>> # be the same user as @REALM.B
>>> # If not specified, the default local realm is the domain name,
>>> # which defaults to the host's DNS domain name,
>>> # translated to upper-case.
>>> # Note that if this value is specified, the local realm name
>>> # must be included in the list!
>>> #Local-Realms =
>>>
>>> [Mapping]
>>>
>>> Nobody-User = nobody
>>> Nobody-Group = nobody
>>>
>>> [Translation]
>>>
>>> # Translation Method is an comma-separated, ordered list of
>>> # translation methods that can be used.  Distributed methods
>>> # include "nsswitch", "umich_ldap", and "static".  Each method
>>> # is a dynamically loadable plugin library.
>>> # New methods may be defined and inserted in the list.
>>> # The default is "nsswitch".
>>> Method = nsswitch
>>>
>> Use  Method = sss
>>
>> The module for this method is part of sssd-common RPM package.
>>
>> *idmap.conf for client:*
>>>
>>>
>>> [General]
>>> #Verbosity = 0
>>> # The following should be set to the local NFSv4 domain name
>>> # The default is the host's DNS domain name.
>>> #Domain = local.domain.edu
>>>
>>> # The following is a comma-separated list of Kerberos realm
>>> # names that should be considered to be equivalent to the
>>> # local realm, such that @REALM.A can be assumed to
>>> # be the same user as @REALM.B
>>> # If not specified, the default local realm is the domain name,
>>> # which defaults to the host's DNS domain name,
>>> # translated to upper-case.
>>> # Note that if this value is specified, the local realm name
>>> # must be included in the list!
>>> #Local-Realms =
>>>
>>> [Mapping]
>>>
>>> Nobody-User = nobody
>>> Nobody-Group = nobody
>>>
>>> [Translation]
>>>
>>> # Translation Method is an comma-separated, ordered list of
>>> # translation methods that can be used.  Distributed methods
>>> # include "nsswitch", "umich_ldap", and "static".  Each method
>>> # is a dynamically loadable plugin library.
>>> # New methods may be defined and inserted in the list.
>>> # The default is "nsswitch".
>>> Method = nsswitch
>>>
>> Same here.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-09-30 Thread Sadettin Albasan 
Hi Alexander,


Currently;

FreeIPA 7.1 (Centos)
Client 6.6 (Centos)
NFS 6.6 (Centos) + Samba 3.6

I have also samba file sharing running on NFS server which shares home
directories to windows users as well. So NFS server is joined to windows
domain as well as FreeIPA domain.


*FreeIPA Server Automount Conf:*

/etc/auto.master:
/-/etc/auto.direct
/home/etc/auto.home
---
/etc/auto.direct:
---
/etc/auto.home:
*-rw,no_subtree_check,crossmnt,sec=krb5i itifs01.itiad.my.ca:
/samba/homes/&

maps not connected to /etc/auto.master:




*NFS Server Krb5.conf:*

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = FREEIPA.MY.CA
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  FREEIPA.MY.CA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .FREEIPA.MY.CA = FREEIPA.MY.CA
  FREEIPA.MY.CA = FREEIPA.MY.CA
  .itiad.my.ca = FREEIPA.MY.CA
  itiad.my.ca = FREEIPA.MY.CA



*NFS Server sssd.conf:*

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = FREEIPA.my.CA
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = itifs01.itiad.my.ca
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, server.freeipa.my.ca
dns_discovery_domain = FREEIPA.my.CA
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = FREEIPA.MY.CA
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]



*Client Krb5.conf:*

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = FREEIPA.MY.CA
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  FREEIPA.MY.CA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .freeipa.my.ca = FREEIPA.MY.CA
  freeipa.my.ca = FREEIPA.MY.CA


*Client SSSD.conf:*

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = freeipa.my.ca
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client2.freeipa.my.ca
chpass_provider = ipa
ipa_server = _srv_, server.freeipa.my.ca
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
[sssd]
default_domain_suffix = itiad.my.ca
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = freeipa.my.ca
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]



Thanks,


On 29 September 2015 at 10:47, Alexander Bokovoy 
wrote:

> On Tue, 29 Sep 2015, Sadettin Albasan wrote:
>
>> I have a freeipa server and a trust relation with AD domain with almost
>> everything working the way I planned except automounting NFS home
>> directories for domain users. I have been reading about this on the net
>> for
>> almost a week, ended up trying a lot of different configurations, but I
>> had
>> no success to it. The closest I came to was removing krb5 authentication
>> from the export and mount options. it is only then able to mount the
>> directories. Since I have not seen any official guidelines  about it, is
>> this in works or any plan to implement? Thanks.
>>
> As usual, more details are required about server and client
> configuration/software in order to even guess your problems.
>
> What provides NFS storage? What is used on the client machines? How
> identity mapping is configured. Give examples of your configuration.
>
> There are some issues in NFS identity mapping code that were fixed
> relatively recently and which prevented use of POSIX users with '@' in
> the name, for example.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-09-30 Thread Alexander Bokovoy 

On Wed, 30 Sep 2015, Sadettin Albasan wrote:

Hi Alexander,


Currently;

FreeIPA 7.1 (Centos)
Client 6.6 (Centos)
NFS 6.6 (Centos) + Samba 3.6

I have also samba file sharing running on NFS server which shares home
directories to windows users as well. So NFS server is joined to windows
domain as well as FreeIPA domain.

CentOS 6.6 should have nfsidmap fixes needed to support AD users via
IPA-AD trust.

However, I don't see your configuration for nfs idmap.conf on both client and
NFS server.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-09-30 Thread Sadettin Albasan 
*idmap.conf for NFS Server:*

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu

# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
# local realm, such that @REALM.A can be assumed to
# be the same user as @REALM.B
# If not specified, the default local realm is the domain name,
# which defaults to the host's DNS domain name,
# translated to upper-case.
# Note that if this value is specified, the local realm name
# must be included in the list!
#Local-Realms =

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

# Translation Method is an comma-separated, ordered list of
# translation methods that can be used.  Distributed methods
# include "nsswitch", "umich_ldap", and "static".  Each method
# is a dynamically loadable plugin library.
# New methods may be defined and inserted in the list.
# The default is "nsswitch".
Method = nsswitch

# Optional.  This is a comma-separated, ordered list of
# translation methods to be used for translating GSS
# authenticated names to ids.
# If this option is omitted, the same methods as those
# specified in "Method" are used.
#GSS-Methods = 

#---#
# The following are used only for the "static" Translation Method.
#---#
#[Static]

# A "static" list of GSS-Authenticated names to
# local user name mappings

#someuser@REALM = localuser


#---#
# The following are used only for the "umich_ldap" Translation Method.
#---#

#[UMICH_SCHEMA]

# server information (REQUIRED)
#LDAP_server = ldap-server.local.domain.edu

# the default search base (REQUIRED)
#LDAP_base = dc=local,dc=domain,dc=edu

#---#
# The remaining options have defaults (as shown)
# and are therefore not required.
#---#

# whether or not to perform canonicalization on the
# name given as LDAP_server
#LDAP_canonicalize_name = true

# absolute search base for (people) accounts
#LDAP_people_base = 

# absolute search base for groups
#LDAP_group_base = 

# Set to true to enable SSL - anything else is not enabled
#LDAP_use_ssl = false

# You must specify a CA certificate location if you enable SSL
#LDAP_ca_cert = /etc/ldapca.cert

# Objectclass mapping information

# Mapping for the person (account) object class
#NFSv4_person_objectclass = NFSv4RemotePerson

# Mapping for the nfsv4name attribute the person object
#NFSv4_name_attr = NFSv4Name

# Mapping for the UID number
#NFSv4_uid_attr = UIDNumber

# Mapping for the GSSAPI Principal name
#GSS_principal_attr = GSSAuthName

# Mapping for the account name attribute (usually uid)
# The value for this attribute must match the value of
# the group member attribute - NFSv4_member_attr
#NFSv4_acctname_attr = uid

# Mapping for the group object class
#NFSv4_group_objectclass = NFSv4RemoteGroup

# Mapping for the GID attribute
#NFSv4_gid_attr = GIDNumber

# Mapping for the Group NFSv4 name
#NFSv4_group_attr = NFSv4Name

# Mapping for the Group member attribute (usually memberUID)
# The value of this attribute must match the value of NFSv4_acctname_attr
#NFSv4_member_attr = memberUID


*idmap.conf for client:*

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu

# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
# local realm, such that @REALM.A can be assumed to
# be the same user as @REALM.B
# If not specified, the default local realm is the domain name,
# which defaults to the host's DNS domain name,
# translated to upper-case.
# Note that if this value is specified, the local realm name
# must be included in the list!
#Local-Realms =

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

# Translation Method is an comma-separated, ordered list of
# translation methods that can be used.  Distributed methods
# include "nsswitch", "umich_ldap", and "static".  Each method
# is a dynamically loadable plugin library.
# New methods may be defined and inserted in the list.
# The default is "nsswitch".
Method = nsswitch

# Optional.  This is a comma-separated, ordered list of
# translation methods to be used for translating GSS
# authenticated names to ids.
# If this option is omitted, the same methods as those
# specified in "Method" are used.
#GSS-Methods = 

#---#
# The following are used only for the "static" Translation Method.

Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-09-30 Thread Alexander Bokovoy 

On Wed, 30 Sep 2015, Sadettin Albasan wrote:

*idmap.conf for NFS Server:*

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu

# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
# local realm, such that @REALM.A can be assumed to
# be the same user as @REALM.B
# If not specified, the default local realm is the domain name,
# which defaults to the host's DNS domain name,
# translated to upper-case.
# Note that if this value is specified, the local realm name
# must be included in the list!
#Local-Realms =

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

# Translation Method is an comma-separated, ordered list of
# translation methods that can be used.  Distributed methods
# include "nsswitch", "umich_ldap", and "static".  Each method
# is a dynamically loadable plugin library.
# New methods may be defined and inserted in the list.
# The default is "nsswitch".
Method = nsswitch
Use 
 Method = sss


The module for this method is part of sssd-common RPM package.


*idmap.conf for client:*

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu

# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
# local realm, such that @REALM.A can be assumed to
# be the same user as @REALM.B
# If not specified, the default local realm is the domain name,
# which defaults to the host's DNS domain name,
# translated to upper-case.
# Note that if this value is specified, the local realm name
# must be included in the list!
#Local-Realms =

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

# Translation Method is an comma-separated, ordered list of
# translation methods that can be used.  Distributed methods
# include "nsswitch", "umich_ldap", and "static".  Each method
# is a dynamically loadable plugin library.
# New methods may be defined and inserted in the list.
# The default is "nsswitch".
Method = nsswitch

Same here.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] NFS Automount Domain Homedirs

2015-09-29 Thread Sadettin Albasan 
I have a freeipa server and a trust relation with AD domain with almost
everything working the way I planned except automounting NFS home
directories for domain users. I have been reading about this on the net for
almost a week, ended up trying a lot of different configurations, but I had
no success to it. The closest I came to was removing krb5 authentication
from the export and mount options. it is only then able to mount the
directories. Since I have not seen any official guidelines  about it, is
this in works or any plan to implement? Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] NFS Automount Domain Homedirs

2015-09-29 Thread Alexander Bokovoy 

On Tue, 29 Sep 2015, Sadettin Albasan wrote:

I have a freeipa server and a trust relation with AD domain with almost
everything working the way I planned except automounting NFS home
directories for domain users. I have been reading about this on the net for
almost a week, ended up trying a lot of different configurations, but I had
no success to it. The closest I came to was removing krb5 authentication
from the export and mount options. it is only then able to mount the
directories. Since I have not seen any official guidelines  about it, is
this in works or any plan to implement? Thanks.

As usual, more details are required about server and client
configuration/software in order to even guess your problems.

What provides NFS storage? What is used on the client machines? How
identity mapping is configured. Give examples of your configuration.

There are some issues in NFS identity mapping code that were fixed
relatively recently and which prevented use of POSIX users with '@' in
the name, for example.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project