TomK wrote: > On 3/15/2018 11:06 AM, Rob Crittenden wrote: >> TomK wrote: >>> On 3/12/2018 11:25 AM, Rob Crittenden wrote: >>>> TomK wrote: >>>>> On 3/7/2018 1:11 PM, Rob Crittenden wrote: >>>>> Hey Rob, >>>>> >>>>> When starting idmapd or stopping it, logs on the LDAP server don't >>>>> change. But UID and GID's change to nfsnobody when I set Nobody-User >>>>> and Nobody-Group to nfsnobody in /etc/idmapd.conf . >>>> >>>> I don't know that merely restarting the service is going to spark >>>> queries against LDAP. You'd probably need to do something to provoke >>>> that (like doing an ls). >>> Nothing. Once at restart of the host do I see something from ls but on >>> second execution of ls or any type of directory interaction, nothing >>> happens. Then it repeats randomly. >> >> Can you expand on this? What are you seeing on the client side? What >> queries do you see in LDAP related to the request (any?) Remember that >> the 389-ds access log is buffered so it can take up to 30 seconds for >> the logs to update. >> >> rob >> > > Got it. Here is the 389-ds log at the same time as the client prints > these nfsidmap messages: > > [ CLIENT ] > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: key: 0x3b3559c4 type: uid > value: [email protected]@localdomain timeout 600 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling > umich_ldap->name_to_uid > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: > umich_ldap->name_to_uid returned -2 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling > nsswitch->name_to_uid > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name > '[email protected]@localdomain' domain 'nix.my.dom': resulting localname '(null)' > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name > '[email protected]@localdomain' does not map into domain 'nix.my.dom' > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: > nsswitch->name_to_uid returned -22 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final > return value is -22 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling > umich_ldap->name_to_uid > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: > umich_ldap->name_to_uid returned -2 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling > nsswitch->name_to_uid > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name > '[email protected]' domain 'nix.my.dom': resulting localname 'nobody' > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: > nsswitch->name_to_uid returned 0 > Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final > return value is 0 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: key: 0x3140cc17 type: gid > value: [email protected]@localdomain timeout 600 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling > umich_ldap->name_to_gid > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: > umich_ldap->name_to_gid returned -2 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling > nsswitch->name_to_gid > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: > nsswitch->name_to_gid returned -22 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final > return value is -22 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling > umich_ldap->name_to_gid > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version > mismatch between API information and protocol version. Setting protocol > version to 3 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: > umich_ldap->name_to_gid returned -2 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling > nsswitch->name_to_gid > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: > nsswitch->name_to_gid returned 0 > Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final > return value is 0 > > > > > > [ IPA MASTER ] > [15/Mar/2018:23:13:06.528045064 -0400] conn=69197 fd=260 slot=260 > connection from 192.168.0.236 to 192.168.0.44 > [15/Mar/2018:23:13:06.528983720 -0400] conn=69197 op=0 SRCH > base="DC=NIX,DC=MY,DC=DOM" scope=2 > filter="(&(objectClass=NFSv4RemotePerson)([email protected]@localdomain))" > attrs="uidNumber gidNumber" > [15/Mar/2018:23:13:06.529512979 -0400] conn=69197 op=0 RESULT err=0 > tag=101 nentries=0 etime=0 > [15/Mar/2018:23:13:06.529825586 -0400] conn=69197 op=1 UNBIND > [15/Mar/2018:23:13:06.529853432 -0400] conn=69197 op=1 fd=260 closed - U1 > [15/Mar/2018:23:13:06.531031559 -0400] conn=69198 fd=263 slot=263 > connection from 192.168.0.236 to 192.168.0.44 > [15/Mar/2018:23:13:06.531453140 -0400] conn=69198 op=0 SRCH > base="DC=NIX,DC=MY,DC=DOM" scope=2 > filter="(&(objectClass=NFSv4RemotePerson)([email protected]))" > attrs="uidNumber gidNumber" > [15/Mar/2018:23:13:06.531856184 -0400] conn=69198 op=0 RESULT err=0 > tag=101 nentries=0 etime=0 > [15/Mar/2018:23:13:06.532153498 -0400] conn=69198 op=1 UNBIND > [15/Mar/2018:23:13:06.532179628 -0400] conn=69198 op=1 fd=263 closed - U1 > [15/Mar/2018:23:13:06.546316517 -0400] conn=69199 fd=264 slot=264 > connection from 192.168.0.236 to 192.168.0.44 > [15/Mar/2018:23:13:06.546763006 -0400] conn=69199 op=0 SRCH > base="DC=NIX,DC=MY,DC=DOM" scope=2 > filter="(&(objectClass=NFSv4RemoteGroup)([email protected]@localdomain))" > attrs="uidNumber gidNumber" > [15/Mar/2018:23:13:06.547118926 -0400] conn=69199 op=0 RESULT err=0 > tag=101 nentries=0 etime=0
Ok I have zero experience with nfsidmap over LDAP but a few observations: - Your search base is wrong. For users it should cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM - It is searching on a non-existent objectclass From what I can tell you need to set NFSv4_person_objectclass=posixaccount NFSv4_name_attr=uid An alternate thing to try is to set Method=sss instead of umich_ldap and see if that helps. rob > [15/Mar/2018:23:13:06.547419820 -0400] conn=69199 op=1 UNBIND > [15/Mar/2018:23:13:06.547446724 -0400] conn=69199 op=1 fd=264 closed - U1 > [15/Mar/2018:23:13:06.550193388 -0400] conn=69200 fd=265 slot=265 > connection from 192.168.0.236 to 192.168.0.44 > [15/Mar/2018:23:13:06.550580770 -0400] conn=69200 op=0 SRCH > base="DC=NIX,DC=MY,DC=DOM" scope=2 > filter="(&(objectClass=NFSv4RemoteGroup)([email protected]))" > attrs="uidNumber gidNumber" > [15/Mar/2018:23:13:06.550933518 -0400] conn=69200 op=0 RESULT err=0 > tag=101 nentries=0 etime=0 > [15/Mar/2018:23:13:06.551220517 -0400] conn=69200 op=1 UNBIND > [15/Mar/2018:23:13:06.551284941 -0400] conn=69200 op=1 fd=265 closed - U1 > [15/Mar/2018:23:13:06.580266816 -0400] conn=69191 op=8 SRCH > base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom" > scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL > [15/Mar/2018:23:13:06.580664050 -0400] conn=69191 op=8 RESULT err=0 > tag=101 nentries=0 etime=0 > [15/Mar/2018:23:13:06.581138601 -0400] conn=69191 op=9 EXT > oid="2.16.840.1.113730.3.8.10.4.1" name="IPA trusted domain ID mapper" > [15/Mar/2018:23:13:06.585652291 -0400] conn=69180 op=5 SRCH > base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom" > scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL > [15/Mar/2018:23:13:06.585897291 -0400] conn=69180 op=5 RESULT err=0 > tag=101 nentries=0 etime=0 > [15/Mar/2018:23:13:06.610226668 -0400] conn=9 op=99467 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=host/[email protected])))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.611043926 -0400] conn=9 op=99467 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.611343977 -0400] conn=9 op=99468 SRCH > base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags" > [15/Mar/2018:23:13:06.611511419 -0400] conn=9 op=99468 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.611781846 -0400] conn=9 op=99469 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.612369061 -0400] conn=9 op=99469 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.612710359 -0400] conn=9 op=99470 SRCH > base="cn=Default Host Password > Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0 > filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure > krbPwdFailureCountInterval krbPwdLockoutDuration" > [15/Mar/2018:23:13:06.612874801 -0400] conn=9 op=99470 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.614845128 -0400] conn=8 op=338424 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=host/[email protected])))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.615299624 -0400] conn=8 op=338424 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.615585618 -0400] conn=8 op=338425 SRCH > base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags" > [15/Mar/2018:23:13:06.615741765 -0400] conn=8 op=338425 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.616016867 -0400] conn=8 op=338426 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.616474488 -0400] conn=8 op=338426 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.616734155 -0400] conn=8 op=338427 SRCH > base="cn=Default Host Password > Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0 > filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure > krbPwdFailureCountInterval krbPwdLockoutDuration" > [15/Mar/2018:23:13:06.616891114 -0400] conn=8 op=338427 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.617275452 -0400] conn=8 op=338428 SRCH > base="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" > scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn > gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier > ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory > ipaNTHomeDirectoryDrive" > [15/Mar/2018:23:13:06.619766808 -0400] conn=8 op=338428 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.619940264 -0400] conn=8 op=338429 SRCH > base="cn=idmipa01.nix.my.dom,cn=masters,cn=ipa,cn=etc,dc=nix,dc=my,dc=dom" > scope=0 filter="(objectClass=*)" attrs=ALL > [15/Mar/2018:23:13:06.620166400 -0400] conn=8 op=338429 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.620841171 -0400] conn=8 op=338430 MOD > dn="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" > [15/Mar/2018:23:13:06.627304715 -0400] conn=8 op=338430 RESULT err=0 > tag=103 nentries=0 etime=0 csn=5aab36ca000000040000 > [15/Mar/2018:23:13:06.635192361 -0400] conn=9 op=99471 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.635734053 -0400] conn=9 op=99471 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.636355108 -0400] conn=9 op=99472 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.636934738 -0400] conn=9 op=99472 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.637192683 -0400] conn=9 op=99473 SRCH > base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags" > [15/Mar/2018:23:13:06.637329793 -0400] conn=9 op=99473 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.637651311 -0400] conn=9 op=99474 SRCH > base="dc=nix,dc=my,dc=dom" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/[email protected]))" > attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange > krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType > ipatokenRadiusConfigLink objectClass" > [15/Mar/2018:23:13:06.638056445 -0400] conn=9 op=99474 RESULT err=0 > tag=101 nentries=1 etime=0 > [15/Mar/2018:23:13:06.638324542 -0400] conn=9 op=99475 SRCH > base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags" > [15/Mar/2018:23:13:06.638461582 -0400] conn=9 op=99475 RESULT err=0 > tag=101 nentries=1 etime=0 > > > > Cheers, > Tom > >>>> >>>>> [General] >>>>> Verbosity = 9 >>>>> Domain = nix.my.dom >>>>> [Mapping] >>>>> Nobody-User = nfsnobody >>>>> Nobody-Group = nfsnobody >>>>> [Translation] >>>>> [Static] >>>>> [UMICH_SCHEMA] >>>>> LDAP_server = idmipa01.nix.my.dom >>>>> LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM >>>>> LDAP_people_base = DC=NIX,DC=MY,DC=DOM >>>>> LDAP_group_base = DC=NIX,DC=MY,DC=DOM >>>> >>>> The people basedn should probably be cn=users,cn=accounts,... and the >>>> group base cn=groups,cn=accounts,... Unles it cleverly smashes that >>>> together with LDAP_base, I'm not sure what it does. The 389-ds access >>>> logs will tell you if it is trying at all (note the logs are >>>> write-buffered so you won't see immediate updates). >>>> >>>> If you have compat enabled then idmapd may be getting multiple entries, >>>> one from cn=compat and one from the main tree and that could be >>>> confusing it. >>> No difference. Even the IP defined users are having this issue. >>> >>> However, and this may be a very dumb question, but you raised 389-ds >>> logs. I'm using IPA Server, not 389-ds unless you're implying I may >>> need packages? The IPA servers come with 389-ds-base installed but do I >>> need this or something else on the IPA clients as well? >>> >>> In the existing IPA logs, no other log entries corrolate with the >>> nfsidmapd messages on the client. >>> >>> Method = umich_ldap,nsswitch,static >>> GSS-Methods = umich_ldap,nsswitch,static >>> >>> However it still lists: >>> >>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: >>> user_dn : <not-supplied> >>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: >>> passwd : <not-supplied> >>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: >>> use_ssl : no >>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init: >>> ca_cert : <not-supplied> >>> >>> and I'm not sure what variables idmapd.conf uses for password and user. >>> Still, I've left the LAB KDC open so no users and passes are needed for >>> simple lookups. >>> >>> After setting the above, the messages in the logs changed slightly: >>> >>> Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user tomk. >>> Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk. >>> Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk. >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid >>> value: tomk@localdomain timeout 600 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling >>> umich_ldap->name_to_uid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version >>> mismatch between API information and protocol version. Setting protocol >>> version to 3 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: >>> umich_ldap->name_to_uid returned -2 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling >>> nsswitch->name_to_uid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name >>> 'tomk@localdomain' domain 'nix.my.dom': resulting localname '(null)' >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name >>> 'tomk@localdomain' does not map into domain 'nix.my.dom' >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: >>> nsswitch->name_to_uid returned -22 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final >>> return value is -22 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling >>> umich_ldap->name_to_uid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version >>> mismatch between API information and protocol version. Setting protocol >>> version to 3 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: >>> umich_ldap->name_to_uid returned -2 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling >>> nsswitch->name_to_uid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name >>> '[email protected]' domain 'nix.my.dom': resulting localname 'nobody' >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: >>> nsswitch->name_to_uid returned 0 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final >>> return value is 0 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid >>> value: tomk@localdomain timeout 600 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling >>> umich_ldap->name_to_gid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version >>> mismatch between API information and protocol version. Setting protocol >>> version to 3 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: >>> umich_ldap->name_to_gid returned -2 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling >>> nsswitch->name_to_gid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: >>> nsswitch->name_to_gid returned -22 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final >>> return value is -22 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling >>> umich_ldap->name_to_gid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version >>> mismatch between API information and protocol version. Setting protocol >>> version to 3 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: >>> umich_ldap->name_to_gid returned -2 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling >>> nsswitch->name_to_gid >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: >>> nsswitch->name_to_gid returned 0 >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final >>> return value is 0 >>> >>> (Port 389 between client and server are open.) Seems like the line: >>> >>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid >>> value: tomk@localdomain timeout 600 >>> >>> might be to blame. It's the first line that shows localdomain, but it >>> should not. My hosts file: >>> >>> [root@ipaclient01 ~]# cat /etc/hosts >>> 127.0.0.1 localhost localhost.localdomain localhost4 >>> localhost4.localdomain4 >>> ::1 localhost localhost.localdomain localhost6 >>> localhost6.localdomain6 >>> 192.168.0.236 ipaclient01.nix.my.dom ipaclient01 >>> [root@ipaclient01 ~]# >>> >>> Guessing key get's it's info from /etc/hosts directly and I should look >>> at that? >>> >>> Cheers, >>> Tom >>> >>>> >>>> rob >>>> >>>>> >>>>> Cheers, >>>>> Tom >>>>> >>>>>> TomK via FreeIPA-users wrote: >>>>>>> Hey Guy's, >>>>>>> >>>>>>> Getting below message which in turn fails to list proper UID / >>>>>>> GID on >>>>>>> NFSv4 mounts from within an unprivileged account. All files show up >>>>>>> with >>>>>>> owner and group as nobody / nobody when viewed from the client. >>>>>>> >>>>>>> Is there a way to structure /etc/idmapd.conf to allow for proper >>>>>>> UID / >>>>>>> GID resolution? Or perhaps another solution? >>>>>>> >>>>>>> >>>>>>> [root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e >>>>>>> "/^$/d" >>>>>>> [General] >>>>>>> Verbosity = 7 >>>>>>> Domain = nix.my.dom >>>>>>> [Mapping] >>>>>>> [Translation] >>>>>>> [Static] >>>>>>> [UMICH_SCHEMA] >>>>>>> LDAP_server = ldap-server.local.domain.edu >>>>>>> LDAP_base = dc=local,dc=domain,dc=edu >>>>>>> [root@client01 etc]# >>>>>>> >>>>>>> Mount looks like this: >>>>>>> >>>>>>> nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4 >>>>>>> (rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> /var/log/messages >>>>>>> >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid >>>>>>> value: [email protected]@localdomain timeout 600 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling >>>>>>> nsswitch->name_to_uid >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>>>>>> '[email protected]@localdomain' domain 'nix.my.dom': resulting localname >>>>>>> '(null)' >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>>>>>> '[email protected]@localdomain' does not map into domain 'nix.my.dom' >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: >>>>>>> nsswitch->name_to_uid returned -22 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final >>>>>>> return >>>>>>> value is -22 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling >>>>>>> nsswitch->name_to_uid >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name >>>>>>> '[email protected]' domain 'nix.my.dom': resulting localname >>>>>>> 'nobody' >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: >>>>>>> nsswitch->name_to_uid returned 0 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final >>>>>>> return >>>>>>> value is 0 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid >>>>>>> value: [email protected]@localdomain timeout 600 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling >>>>>>> nsswitch->name_to_gid >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: >>>>>>> nsswitch->name_to_gid returned -22 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final >>>>>>> return >>>>>>> value is -22 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling >>>>>>> nsswitch->name_to_gid >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: >>>>>>> nsswitch->name_to_gid returned 0 >>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final >>>>>>> return >>>>>>> value is 0 >>>>>>> Mar 6 00:17:31 client01 systemd-logind: Removed session 23. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Result of: >>>>>>> >>>>>>> systemctl restart rpcidmapd >>>>>>> >>>>>>> /var/log/messages >>>>>>> ------------------- >>>>>>> Mar 5 23:46:12 client01 systemd: Stopping Automounts filesystems on >>>>>>> demand... >>>>>>> Mar 5 23:46:13 client01 systemd: Stopped Automounts filesystems on >>>>>>> demand. >>>>>>> Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping >>>>>>> service... >>>>>>> Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS >>>>>>> configuration... >>>>>>> Mar 5 23:48:51 client01 systemd: Started Preprocess NFS >>>>>>> configuration. >>>>>>> Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping >>>>>>> service... >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using >>>>>>> domain: >>>>>>> nix.my.dom >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms >>>>>>> list: >>>>>>> 'NIX.MY.DOM' >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using >>>>>>> domain: nix.my.dom >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms >>>>>>> list: 'NIX.MY.DOM' >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded >>>>>>> plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded >>>>>>> plugin >>>>>>> /lib64/libnfsidmap/nsswitch.so for method nsswitch >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600 >>>>>>> seconds. >>>>>>> Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping >>>>>>> service. >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened >>>>>>> /proc/net/rpc/nfs4.nametoid/channel >>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened >>>>>>> /proc/net/rpc/nfs4.idtoname/channel >>>>>>> >>>>>> >>>>>> You might be able to correlate that to the 389-ds access log to see >>>>>> what >>>>>> queries are being executed. >>>>>> >>>>>> You probably need to set LDAP_people_base and LDAP_group_base as >>>>>> well. >>>>>> >>>>>> I think ipa-client-automount only sets the Domain value and doesn't >>>>>> configure the ldap section at all. >>>>>> >>>>>> rob >>>>>> _______________________________________________ >>>>>> sssd-users mailing list -- [email protected] >>>>>> To unsubscribe send an email to >>>>>> [email protected] >>>>>> >>>>> >>>>> >>>> >>> >>> >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
