[SSSD-users] Re: [Freeipa-users] Re: Re: nss_getpwnam: name 'tom@my.dom@localdomain' does not map into domain 'nix.my.dom'

Sun, 18 Mar 2018 07:42:06 -0700 

On 3/17/2018 1:31 AM, TomK wrote:

On 3/17/2018 12:43 AM, TomK wrote:

On 3/16/2018 3:20 PM, Rob Crittenden via FreeIPA-users wrote:

TomK wrote:

On 3/15/2018 11:06 AM, Rob Crittenden wrote:

TomK wrote:

On 3/12/2018 11:25 AM, Rob Crittenden wrote:

TomK wrote:

On 3/7/2018 1:11 PM, Rob Crittenden wrote:
Hey Rob,

When starting idmapd or stopping it, logs on the LDAP server don't
change.  But UID and GID's change to nfsnobody when I set Nobody-User 
and Nobody-Group to nfsnobody in /etc/idmapd.conf .


I don't know that merely restarting the service is going to spark
queries against LDAP. You'd probably need to do something to provoke
that (like doing an ls).
Nothing.  Once at restart of the host do I see something from ls but on 
second execution of ls or any type of directory interaction, nothing
happens.  Then it repeats randomly.


Can you expand on this? What are you seeing on the client side? What
queries do you see in LDAP related to the request (any?) Remember that
the 389-ds access log is buffered so it can take up to 30 seconds for
the logs to update.

rob



Got it.  Here is the 389-ds log at the same time as the client prints
these nfsidmap messages:

[ CLIENT ]
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: key: 0x3b3559c4 type: uid
value: t...@my.dom@localdomain timeout 600
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
't...@my.dom@localdomain' domain 'nix.my.dom': resulting localname '(null)' 
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
't...@my.dom@localdomain' does not map into domain 'nix.my.dom'
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final
return value is -22
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final
return value is 0
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: key: 0x3140cc17 type: gid
value: t...@my.dom@localdomain timeout 600
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final
return value is -22
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final
return value is 0





[ IPA MASTER ]
[15/Mar/2018:23:13:06.528045064 -0400] conn=69197 fd=260 slot=260
connection from 192.168.0.236 to 192.168.0.44
[15/Mar/2018:23:13:06.528983720 -0400] conn=69197 op=0 SRCH
base="DC=NIX,DC=MY,DC=DOM" scope=2
filter="(&(objectClass=NFSv4RemotePerson)(nfsv4name=t...@my.dom@localdomain))" 
attrs="uidNumber gidNumber"
[15/Mar/2018:23:13:06.529512979 -0400] conn=69197 op=0 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.529825586 -0400] conn=69197 op=1 UNBIND
[15/Mar/2018:23:13:06.529853432 -0400] conn=69197 op=1 fd=260 closed - U1 
[15/Mar/2018:23:13:06.531031559 -0400] conn=69198 fd=263 slot=263
connection from 192.168.0.236 to 192.168.0.44
[15/Mar/2018:23:13:06.531453140 -0400] conn=69198 op=0 SRCH
base="DC=NIX,DC=MY,DC=DOM" scope=2
filter="(&(objectClass=NFSv4RemotePerson)(nfsv4name=nob...@nix.my.dom))" 
attrs="uidNumber gidNumber"
[15/Mar/2018:23:13:06.531856184 -0400] conn=69198 op=0 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.532153498 -0400] conn=69198 op=1 UNBIND
[15/Mar/2018:23:13:06.532179628 -0400] conn=69198 op=1 fd=263 closed - U1 
[15/Mar/2018:23:13:06.546316517 -0400] conn=69199 fd=264 slot=264
connection from 192.168.0.236 to 192.168.0.44
[15/Mar/2018:23:13:06.546763006 -0400] conn=69199 op=0 SRCH
base="DC=NIX,DC=MY,DC=DOM" scope=2
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=t...@my.dom@localdomain))" 
attrs="uidNumber gidNumber"
[15/Mar/2018:23:13:06.547118926 -0400] conn=69199 op=0 RESULT err=0
tag=101 nentries=0 etime=0
Ok I have zero experience with nfsidmap over LDAP but a few observations: 

- Your search base is wrong. For users it should
cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
- It is searching on a non-existent objectclass From what I can tell you
need to set
NFSv4_person_objectclass=posixaccount
NFSv4_name_attr=uid

An alternate thing to try is to set Method=sss instead of umich_ldap and
see if that helps.

rob


Thanks Rob.  But unfortunately none of those did the trick.

[General]
Verbosity = 9
Local-Realms = NIX.MY.DOM,MY.DOM
Domain = nix.my.dom
[Mapping]
[Translation]
Method = sss,umich_ldap,nsswitch,static
GSS-Methods = sss,umich_ldap,nsswitch,static
[Static]
[UMICH_SCHEMA]
LDAP_server = idmipa01.nix.my.dom
LDAP_base = cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
LDAP_people_base = DC=NIX,DC=MY,DC=DOM
LDAP_group_base = DC=NIX,DC=MY,DC=DOM
NFSv4_person_objectclass = posixaccount
NFSv4_name_attr = uid
Well the weekend's here though so maybe I can spend a little more time focusing on this and finally get it solved.  The tip to use sss as the Method was great and I aslo added it to the GSS-Methods as well but no luck.  The fact that localdomain even appears in the logs bothers me. I don't think it should given the Domain is set correctly in the /etc/idmapd.conf file.
I'm using NFS Ganesha for my NFS mounts ( It's a user space version of NFS. )  However, they don't need the idmapd service running and load only the idmapd libraries.
But the default value for the Domain in the idmapd libraries is localdomain and perhaps that's why it keeps showing up even though I explicitly set the Domain = nix.my.dom  .
https://github.com/Distrotech/libnfsidmap/blob/distrotech-libnfsidmap/libnfsidmap.c 


[root@ipaclient01 ~]# strings /lib64/libnfsidmap.so.0|grep domain
nfs4_get_default_domain
Unable to determine a default nfsv4 domain;  consider specifying one in idmapd.conf libnfsidmap: Unable to determine the NFSv4 domain; Using '%s' as the NFSv4 domain which means UIDs will be mapped to the 'Nobody-Use r' user defined in %s 
libnfsidmap: using%s domain: %s
localdomain
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]# strings /lib64/libnfsidmap.so.0.3.0|grep domain
nfs4_get_default_domain
Unable to determine a default nfsv4 domain;  consider specifying one in idmapd.conf libnfsidmap: Unable to determine the NFSv4 domain; Using '%s' as the NFSv4 domain which means UIDs will be mapped to the 'Nobody-User' user defined in %s 
libnfsidmap: using%s domain: %s
localdomain                      <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/nsswitch.so | grep domain
get_default_domain
nss_getpwnam: name '%s' domain '%s': resulting localname '%s'
nss_getpwnam: name '%s' does not map into domain '%s'
nss_getpwnam: name '%s' not found in domain '%s'
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/static.so|grep -i domain
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/umich_ldap.so|grep -i domain 
[root@ipaclient01 ~]#
And perhaps that's why things don't work. Guess I'll see how all this works with the built in Kernel NFS module. 





[15/Mar/2018:23:13:06.547419820 -0400] conn=69199 op=1 UNBIND
[15/Mar/2018:23:13:06.547446724 -0400] conn=69199 op=1 fd=264 closed - U1 
[15/Mar/2018:23:13:06.550193388 -0400] conn=69200 fd=265 slot=265
connection from 192.168.0.236 to 192.168.0.44
[15/Mar/2018:23:13:06.550580770 -0400] conn=69200 op=0 SRCH
base="DC=NIX,DC=MY,DC=DOM" scope=2
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=nob...@nix.my.dom))"
attrs="uidNumber gidNumber"
[15/Mar/2018:23:13:06.550933518 -0400] conn=69200 op=0 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.551220517 -0400] conn=69200 op=1 UNBIND
[15/Mar/2018:23:13:06.551284941 -0400] conn=69200 op=1 fd=265 closed - U1 
[15/Mar/2018:23:13:06.580266816 -0400] conn=69191 op=8 SRCH
base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL
[15/Mar/2018:23:13:06.580664050 -0400] conn=69191 op=8 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.581138601 -0400] conn=69191 op=9 EXT
oid="2.16.840.1.113730.3.8.10.4.1" name="IPA trusted domain ID mapper"
[15/Mar/2018:23:13:06.585652291 -0400] conn=69180 op=5 SRCH
base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL
[15/Mar/2018:23:13:06.585897291 -0400] conn=69180 op=5 RESULT err=0
tag=101 nentries=0 etime=0
[15/Mar/2018:23:13:06.610226668 -0400] conn=9 op=99467 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my....@nix.my.dom)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.611043926 -0400] conn=9 op=99467 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.611343977 -0400] conn=9 op=99468 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.611511419 -0400] conn=9 op=99468 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.611781846 -0400] conn=9 op=99469 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/nix.my....@nix.my.dom)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.612369061 -0400] conn=9 op=99469 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.612710359 -0400] conn=9 op=99470 SRCH
base="cn=Default Host Password
Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"
[15/Mar/2018:23:13:06.612874801 -0400] conn=9 op=99470 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.614845128 -0400] conn=8 op=338424 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my....@nix.my.dom)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.615299624 -0400] conn=8 op=338424 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.615585618 -0400] conn=8 op=338425 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.615741765 -0400] conn=8 op=338425 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.616016867 -0400] conn=8 op=338426 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/nix.my....@nix.my.dom)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.616474488 -0400] conn=8 op=338426 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.616734155 -0400] conn=8 op=338427 SRCH
base="cn=Default Host Password
Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"
[15/Mar/2018:23:13:06.616891114 -0400] conn=8 op=338427 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.617275452 -0400] conn=8 op=338428 SRCH
base="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"
[15/Mar/2018:23:13:06.619766808 -0400] conn=8 op=338428 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.619940264 -0400] conn=8 op=338429 SRCH
base="cn=idmipa01.nix.my.dom,cn=masters,cn=ipa,cn=etc,dc=nix,dc=my,dc=dom" 
scope=0 filter="(objectClass=*)" attrs=ALL
[15/Mar/2018:23:13:06.620166400 -0400] conn=8 op=338429 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.620841171 -0400] conn=8 op=338430 MOD
dn="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" 
[15/Mar/2018:23:13:06.627304715 -0400] conn=8 op=338430 RESULT err=0
tag=103 nentries=0 etime=0 csn=5aab36ca000000040000
[15/Mar/2018:23:13:06.635192361 -0400] conn=9 op=99471 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/nix.my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/nix.my....@nix.my.dom)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.635734053 -0400] conn=9 op=99471 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.636355108 -0400] conn=9 op=99472 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/my....@nix.my.dom)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/my....@nix.my.dom)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.636934738 -0400] conn=9 op=99472 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.637192683 -0400] conn=9 op=99473 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.637329793 -0400] conn=9 op=99473 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.637651311 -0400] conn=9 op=99474 SRCH
base="dc=nix,dc=my,dc=dom" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/idmipa01.nix.my....@nix.my.dom))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[15/Mar/2018:23:13:06.638056445 -0400] conn=9 op=99474 RESULT err=0
tag=101 nentries=1 etime=0
[15/Mar/2018:23:13:06.638324542 -0400] conn=9 op=99475 SRCH
base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[15/Mar/2018:23:13:06.638461582 -0400] conn=9 op=99475 RESULT err=0
tag=101 nentries=1 etime=0



Cheers,
Tom




[General]
Verbosity = 9
Domain = nix.my.dom
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = idmipa01.nix.my.dom
LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM
LDAP_people_base = DC=NIX,DC=MY,DC=DOM
LDAP_group_base = DC=NIX,DC=MY,DC=DOM
The people basedn should probably be cn=users,cn=accounts,... and the 
group base cn=groups,cn=accounts,... Unles it cleverly smashes that
together with LDAP_base, I'm not sure what it does. The 389-ds access 
logs will tell you if it is trying at all (note the logs are
write-buffered so you won't see immediate updates).
If you have compat enabled then idmapd may be getting multiple entries, 
one from cn=compat and one from the main tree and that could be
confusing it.

No difference.  Even the IP defined users are having this issue.

However, and this may be a very dumb question, but you raised 389-ds
logs.  I'm using IPA Server, not 389-ds unless you're implying I may
need packages?  The IPA servers come with 389-ds-base installed but do I 
need this or something else on the IPA clients as well?

In the existing IPA logs, no other log entries corrolate with the
nfsidmapd messages on the client.

Method = umich_ldap,nsswitch,static
GSS-Methods = umich_ldap,nsswitch,static

However it still lists:

Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
user_dn : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
passwd  : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
use_ssl : no
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
ca_cert : <not-supplied>
and I'm not sure what variables idmapd.conf uses for password and user. Still, I've left the LAB KDC open so no users and passes are needed for 
simple lookups.

After setting the above, the messages in the logs changed slightly:
Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user tomk. 
Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version mismatch between API information and protocol version. Setting protocol 
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' domain 'nix.my.dom': resulting localname '(null)'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' does not map into domain 'nix.my.dom'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version mismatch between API information and protocol version. Setting protocol 
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname 'nobody'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version mismatch between API information and protocol version. Setting protocol 
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version mismatch between API information and protocol version. Setting protocol 
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is 0

(Port 389 between client and server are open.) Seems like the line:

Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
might be to blame.  It's the first line that shows localdomain, but it 
should not.  My hosts file:

[root@ipaclient01 ~]# cat /etc/hosts
127.0.0.1       localhost localhost.localdomain localhost4
localhost4.localdomain4
::1             localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.0.236   ipaclient01.nix.my.dom ipaclient01
[root@ipaclient01 ~]#
Guessing key get's it's info from /etc/hosts directly and I should look 
at that?

Cheers,
Tom



rob



Cheers,
Tom


TomK via FreeIPA-users wrote:

Hey Guy's,

Getting below message which in turn fails to list proper UID /
GID on
NFSv4 mounts from within an unprivileged account. All files show up 
with
owner and group as nobody / nobody when viewed from the client.

Is there a way to structure /etc/idmapd.conf to allow for proper
UID /
GID resolution?  Or perhaps another solution?


[root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e
"/^$/d"
[General]
Verbosity = 7
Domain = nix.my.dom
[Mapping]
[Translation]
[Static]
[UMICH_SCHEMA]
LDAP_server = ldap-server.local.domain.edu
LDAP_base = dc=local,dc=domain,dc=edu
[root@client01 etc]#

Mount looks like this:

nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80) 





/var/log/messages
Mar  6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid 
value: t...@my.dom@localdomain timeout 600
Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling 
nsswitch->name_to_uid
Mar  6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
't...@my.dom@localdomain' domain 'nix.my.dom': resulting localname
'(null)'
Mar  6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
't...@my.dom@localdomain' does not map into domain 'nix.my.dom'
Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final
return
value is -22
Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling 
nsswitch->name_to_uid
Mar  6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
'nob...@nix.my.dom' domain 'nix.my.dom': resulting localname
'nobody'
Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar  6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final
return
value is 0
Mar  6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid 
value: t...@my.dom@localdomain timeout 600
Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling 
nsswitch->name_to_gid
Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final
return
value is -22
Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling 
nsswitch->name_to_gid
Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar  6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final
return
value is 0
Mar  6 00:17:31 client01 systemd-logind: Removed session 23.




Result of:

systemctl restart rpcidmapd

/var/log/messages
-------------------
Mar  5 23:46:12 client01 systemd: Stopping Automounts filesystems on 
demand...
Mar  5 23:46:13 client01 systemd: Stopped Automounts filesystems on 
demand.
Mar  5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping
service...
Mar  5 23:48:51 client01 systemd: Starting Preprocess NFS
configuration...
Mar  5 23:48:51 client01 systemd: Started Preprocess NFS
configuration.
Mar  5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping
service...
Mar  5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using
domain:
nix.my.dom
Mar  5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms
list:
'NIX.MY.DOM'
Mar  5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using 
domain: nix.my.dom
Mar  5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms 
list: 'NIX.MY.DOM'
Mar  5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded 
plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar  5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded
plugin
/lib64/libnfsidmap/nsswitch.so for method nsswitch
Mar  5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600 
seconds.
Mar  5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping
service.
Mar  5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.nametoid/channel
Mar  5 23:48:51 client01 rpc.idmapd[14118]: Opened
/proc/net/rpc/nfs4.idtoname/channel
You might be able to correlate that to the 389-ds access log to see 
what
queries are being executed.

You probably need to set LDAP_people_base and LDAP_group_base as
well.
I think ipa-client-automount only sets the Domain value and doesn't 
configure the ldap section at all.

rob
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
sssd-users-le...@lists.fedorahosted.org










_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org 





_______________________________________________
FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 









Solved.

Here's the solution in case it can help someone else.
To get a certain feature in NFS Ganesha, I had to compile the V2.6 release from source. When configuring to compile, idmapd support got disabled since packages were missing: 

libnfsidmap-devel-0.25-17.el7.x86_64
Installed the above package and recompiled with nfsidmap support enabled and this issue went away. Users now show up properly off the NFS mount on clients. 

--
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to