On 3/12/2018 11:25 AM, Rob Crittenden wrote:
TomK wrote:
On 3/7/2018 1:11 PM, Rob Crittenden wrote:
Hey Rob,
When starting idmapd or stopping it, logs on the LDAP server don't
change. But UID and GID's change to nfsnobody when I set Nobody-User
and Nobody-Group to nfsnobody in /etc/idmapd.conf .
I don't know that merely restarting the service is going to spark
queries against LDAP. You'd probably need to do something to provoke
that (like doing an ls).
Nothing. Once at restart of the host do I see something from ls but on
second execution of ls or any type of directory interaction, nothing
happens. Then it repeats randomly.
[General]
Verbosity = 9
Domain = nix.my.dom
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = idmipa01.nix.my.dom
LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM
LDAP_people_base = DC=NIX,DC=MY,DC=DOM
LDAP_group_base = DC=NIX,DC=MY,DC=DOM
The people basedn should probably be cn=users,cn=accounts,... and the
group base cn=groups,cn=accounts,... Unles it cleverly smashes that
together with LDAP_base, I'm not sure what it does. The 389-ds access
logs will tell you if it is trying at all (note the logs are
write-buffered so you won't see immediate updates).
If you have compat enabled then idmapd may be getting multiple entries,
one from cn=compat and one from the main tree and that could be
confusing it.
No difference. Even the IP defined users are having this issue.
However, and this may be a very dumb question, but you raised 389-ds
logs. I'm using IPA Server, not 389-ds unless you're implying I may
need packages? The IPA servers come with 389-ds-base installed but do I
need this or something else on the IPA clients as well?
In the existing IPA logs, no other log entries corrolate with the
nfsidmapd messages on the client.
Method = umich_ldap,nsswitch,static
GSS-Methods = umich_ldap,nsswitch,static
However it still lists:
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
user_dn : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
passwd : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
use_ssl : no
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
ca_cert : <not-supplied>
and I'm not sure what variables idmapd.conf uses for password and user.
Still, I've left the LAB KDC open so no users and passes are needed for
simple lookups.
After setting the above, the messages in the logs changed slightly:
Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' domain 'nix.my.dom': resulting localname '(null)'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' does not map into domain 'nix.my.dom'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is 0
(Port 389 between client and server are open.) Seems like the line:
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
might be to blame. It's the first line that shows localdomain, but it
should not. My hosts file:
[root@ipaclient01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.0.236 ipaclient01.nix.my.dom ipaclient01
[root@ipaclient01 ~]#
Guessing key get's it's info from /etc/hosts directly and I should look
at that?
Cheers,
Tom
rob
Cheers,
Tom
TomK via FreeIPA-users wrote:
Hey Guy's,
Getting below message which in turn fails to list proper UID / GID on
NFSv4 mounts from within an unprivileged account. All files show up with
owner and group as nobody / nobody when viewed from the client.
Is there a way to structure /etc/idmapd.conf to allow for proper UID /
GID resolution? Or perhaps another solution?
[root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e "/^$/d"
[General]
Verbosity = 7
Domain = nix.my.dom
[Mapping]
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
[root@client01 etc]#
Mount looks like this:
nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80)
/var/log/messages
Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid
value: t...@my.dom@localdomain timeout 600
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
't...@my.dom@localdomain' domain 'nix.my.dom': resulting localname
'(null)'
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
't...@my.dom@localdomain' does not map into domain 'nix.my.dom'
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final return
value is -22
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final return
value is 0
Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid
value: t...@my.dom@localdomain timeout 600
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final return
value is -22
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final return
value is 0
Mar 6 00:17:31 client01 systemd-logind: Removed session 23.
Result of:
systemctl restart rpcidmapd
/var/log/messages
-------------------
Mar 5 23:46:12 client01 systemd: Stopping Automounts filesystems on
demand...
Mar 5 23:46:13 client01 systemd: Stopped Automounts filesystems on
demand.
Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping
service...
Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS
configuration...
Mar 5 23:48:51 client01 systemd: Started Preprocess NFS configuration.
Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping
service...
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using domain:
nix.my.dom
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms list:
'NIX.MY.DOM'
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using
domain: nix.my.dom
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms
list: 'NIX.MY.DOM'
Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded
plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded plugin
/lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600
seconds.
Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping service.
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.nametoid/channel
Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.idtoname/channel
You might be able to correlate that to the 389-ds access log to see what
queries are being executed.
You probably need to set LDAP_people_base and LDAP_group_base as well.
I think ipa-client-automount only sets the Domain value and doesn't
configure the ldap section at all.
rob
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
