[Freeipa-users] IPA+AD trust and NFS nobody issue
Sumit Bose
sbose at redhat.com
Wed Jun 4 12:40:39 UTC 2014
On Wed, Jun 04, 2014 at 12:24:11PM +0000, Johan Petersson wrote:
> Mail got posted before I was finished sorry.
>
> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping.
>
> >From /var/log/messages:
>
> Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,'
Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf
might help?
I'll check the nfsidmap code to see how/if it can handle trusted
domains.
bye,
Sumit
>
>
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson
> Sent: Wednesday, June 04, 2014 12:02 PM
> To: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
>
>
> server.ad.home = AD Server
> share.linux.home = NFS Server
> ipa.linux.home = IPA Server
> client.linux.home = Client
>
> NFS with automounted krb5p Home Directories work for IPA users.
>
> sssd-1.11.2-65.el7.x86_64
>
> id adtest at AD.HOME<mailto:adtest at AD.HOME>
> uid=497801107(adtest at ad.home<mailto:adtest at ad.home>) gid=497801107(adtest at ad.home<mailto:adtest at ad.home>) groups=497801107(adtest at ad.home),497800513(domain<mailto:adtest at ad.home),497800513(domain> users at ad.home<mailto:users at ad.home>)
>
> getent passwd adtest at AD.HOME<mailto:adtest at AD.HOME>
> adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest>:
>
> klist after kinit adtest at AD.HOME<mailto:adtest at AD.HOME>
>
> [root at client ~]# klist -e
> Ticket cache: KEYRING:persistent:0:0
> Default principal: adtest at AD.HOME<mailto:adtest at AD.HOME>
>
> Valid starting Expires Service principal
> 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME<mailto:krbtgt/AD.HOME at AD.HOME>
> renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> klist after ssh adtest at AD.HOME@ipa.linux.home<mailto:adtest at AD.HOME@ipa.linux.home>
>
> klist
> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
> Default principal: adtest at AD.HOME<mailto:adtest at AD.HOME>
>
> Valid starting Expires Service principal
> 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME<mailto:nfs/share.linux.home at LINUX.HOME>
> renew until 06/05/14 11:28:30
> 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME<mailto:krbtgt/LINUX.HOME at AD.HOME>
> renew until 06/05/14 11:28:30
> 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME<mailto:krbtgt/AD.HOME at AD.HOME>
> renew until 06/05/14 11:28:30
>
> Home Directory gets mounted by autofs through sssd but user:group is both nobody.
>
> The Client's sssd.conf:
>
> [domain/linux.home]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linux.home
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = client.linux.home
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa.linux.home
> ldap_tls_cacert = /etc/ipa/ca.crt
> autofs_provider = ipa
> ipa_automount_location = default
> subdomains_provider = ipa
> [sssd]
> services = nss, pam, autofs, ssh
> config_file_version = 2
>
> domains = linux.home
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [mailto:freeipa-users-bounces at redhat.com]<mailto:[mailto:freeipa-users-bounces at redhat.com]> On Behalf Of Dmitri Pal
> Sent: Tuesday, June 03, 2014 6:48 PM
> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
>
> On 06/03/2014 09:07 AM, Johan Petersson wrote:
> Hi,
>
> Environment:
>
> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
> RHEL 7 NFS Server
> RHEL 7 Client
>
> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA.
> I have created a NFS share /home/adexample.org and use autofs map in IPA.
> All wbinfo tests works as well as id.
> I can login fine through SSH and Shell with adtest at adexample.org<mailto:adtest at adexample.org>
> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner.
> Are those computers RHEL7 NFS clients with SSSD?
> Can you describe them in more details please?
>
> Groups are no problem since AD groups can be mapped to Posix groups.
>
> Idmap.conf domain is set to the IPA Domain.
>
> Is there some way to get NFS working with the AD user as owner of his Home Directory?
>
> Thanks for any help.
>
>
> This e-mail is private and confidential between the sender and the addressee.
> In the event of misdirection, the recipient is prohibited from using, copying or
> disseminating it or any information in it. Please notify the above if any misdirection.
>
>
>
> _______________________________________________
>
> Freeipa-users mailing list
>
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
>
> Thank you,
>
> Dmitri Pal
>
>
>
> Sr. Engineering Manager IdM portfolio
>
> Red Hat, Inc.
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list