TomK wrote: > On 3/7/2018 1:11 PM, Rob Crittenden wrote: > Hey Rob, > > When starting idmapd or stopping it, logs on the LDAP server don't > change. But UID and GID's change to nfsnobody when I set Nobody-User > and Nobody-Group to nfsnobody in /etc/idmapd.conf .
I don't know that merely restarting the service is going to spark queries against LDAP. You'd probably need to do something to provoke that (like doing an ls). > [General] > Verbosity = 9 > Domain = nix.my.dom > [Mapping] > Nobody-User = nfsnobody > Nobody-Group = nfsnobody > [Translation] > [Static] > [UMICH_SCHEMA] > LDAP_server = idmipa01.nix.my.dom > LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM > LDAP_people_base = DC=NIX,DC=MY,DC=DOM > LDAP_group_base = DC=NIX,DC=MY,DC=DOM The people basedn should probably be cn=users,cn=accounts,... and the group base cn=groups,cn=accounts,... Unles it cleverly smashes that together with LDAP_base, I'm not sure what it does. The 389-ds access logs will tell you if it is trying at all (note the logs are write-buffered so you won't see immediate updates). If you have compat enabled then idmapd may be getting multiple entries, one from cn=compat and one from the main tree and that could be confusing it. rob > > Cheers, > Tom > >> TomK via FreeIPA-users wrote: >>> Hey Guy's, >>> >>> Getting below message which in turn fails to list proper UID / GID on >>> NFSv4 mounts from within an unprivileged account. All files show up with >>> owner and group as nobody / nobody when viewed from the client. >>> >>> Is there a way to structure /etc/idmapd.conf to allow for proper UID / >>> GID resolution? Or perhaps another solution? >>> >>> >>> [root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e "/^$/d" >>> [General] >>> Verbosity = 7 >>> Domain = nix.my.dom >>> [Mapping] >>> [Translation] >>> [Static] >>> [UMICH_SCHEMA] >>> LDAP_server = ldap-server.local.domain.edu >>> LDAP_base = dc=local,dc=domain,dc=edu >>> [root@client01 etc]# >>> >>> Mount looks like this: >>> >>> nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4 >>> (rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80) >>> >>> >>> >>> /var/log/messages >>> >>> Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid >>> value: [email protected]@localdomain timeout 600 >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling >>> nsswitch->name_to_uid >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>> '[email protected]@localdomain' domain 'nix.my.dom': resulting localname >>> '(null)' >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>> '[email protected]@localdomain' does not map into domain 'nix.my.dom' >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: >>> nsswitch->name_to_uid returned -22 >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final return >>> value is -22 >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling >>> nsswitch->name_to_uid >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>> '[email protected]' domain 'nix.my.dom': resulting localname 'nobody' >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: >>> nsswitch->name_to_uid returned 0 >>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final return >>> value is 0 >>> Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid >>> value: [email protected]@localdomain timeout 600 >>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling >>> nsswitch->name_to_gid >>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: >>> nsswitch->name_to_gid returned -22 >>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final return >>> value is -22 >>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling >>> nsswitch->name_to_gid >>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: >>> nsswitch->name_to_gid returned 0 >>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final return >>> value is 0 >>> Mar 6 00:17:31 client01 systemd-logind: Removed session 23. >>> >>> >>> >>> >>> Result of: >>> >>> systemctl restart rpcidmapd >>> >>> /var/log/messages >>> ------------------- >>> Mar 5 23:46:12 client01 systemd: Stopping Automounts filesystems on >>> demand... >>> Mar 5 23:46:13 client01 systemd: Stopped Automounts filesystems on >>> demand. >>> Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping >>> service... >>> Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS >>> configuration... >>> Mar 5 23:48:51 client01 systemd: Started Preprocess NFS configuration. >>> Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping >>> service... >>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using domain: >>> nix.my.dom >>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms list: >>> 'NIX.MY.DOM' >>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using >>> domain: nix.my.dom >>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms >>> list: 'NIX.MY.DOM' >>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded >>> plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch >>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded plugin >>> /lib64/libnfsidmap/nsswitch.so for method nsswitch >>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600 >>> seconds. >>> Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping service. >>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened >>> /proc/net/rpc/nfs4.nametoid/channel >>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened >>> /proc/net/rpc/nfs4.idtoname/channel >>> >> >> You might be able to correlate that to the 389-ds access log to see what >> queries are being executed. >> >> You probably need to set LDAP_people_base and LDAP_group_base as well. >> >> I think ipa-client-automount only sets the Domain value and doesn't >> configure the ldap section at all. >> >> rob >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
