[Freeipa-users] IPA+AD trust and NFS nobody issue

Sumit Bose sbose at redhat.com
Wed Jun 4 12:40:39 UTC 2014 

On Wed, Jun 04, 2014 at 12:24:11PM +0000, Johan Petersson wrote:
> Mail got posted before I was finished sorry.
> 
> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping.
> 
> >From /var/log/messages:
> 
> Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,'

Maybe adding 'linux.home' and 'ad.home' to  Local-Realms in idmap.conf
might help?

I'll check the nfsidmap code to see how/if it can handle trusted
domains.

bye,
Sumit

> 
> 
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson
> Sent: Wednesday, June 04, 2014 12:02 PM
> To: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> 
> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
> 
> 
> server.ad.home = AD Server
> share.linux.home = NFS Server
> ipa.linux.home = IPA Server
> client.linux.home = Client
> 
> NFS with automounted krb5p Home Directories work for IPA users.
> 
> sssd-1.11.2-65.el7.x86_64
> 
> id adtest at AD.HOME<mailto:adtest at AD.HOME>
> uid=497801107(adtest at ad.home<mailto:adtest at ad.home>) gid=497801107(adtest at ad.home<mailto:adtest at ad.home>) groups=497801107(adtest at ad.home),497800513(domain<mailto:adtest at ad.home),497800513(domain> users at ad.home<mailto:users at ad.home>)
> 
> getent passwd adtest at AD.HOME<mailto:adtest at AD.HOME>
> adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest>:
> 
> klist after kinit adtest at AD.HOME<mailto:adtest at AD.HOME>
> 
> [root at client ~]# klist -e
> Ticket cache: KEYRING:persistent:0:0
> Default principal: adtest at AD.HOME<mailto:adtest at AD.HOME>
> 
> Valid starting     Expires            Service principal
> 06/04/14 11:28:35  06/04/14 21:28:35  krbtgt/AD.HOME at AD.HOME<mailto:krbtgt/AD.HOME at AD.HOME>
>          renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 
> klist after ssh adtest at AD.HOME@ipa.linux.home<mailto:adtest at AD.HOME@ipa.linux.home>
> 
> klist
> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
> Default principal: adtest at AD.HOME<mailto:adtest at AD.HOME>
> 
> Valid starting     Expires            Service principal
> 06/04/14 11:35:16  06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME<mailto:nfs/share.linux.home at LINUX.HOME>
>          renew until 06/05/14 11:28:30
> 06/04/14 11:35:16  06/04/14 21:35:16  krbtgt/LINUX.HOME at AD.HOME<mailto:krbtgt/LINUX.HOME at AD.HOME>
>          renew until 06/05/14 11:28:30
> 06/04/14 11:28:35  06/04/14 21:35:16  krbtgt/AD.HOME at AD.HOME<mailto:krbtgt/AD.HOME at AD.HOME>
>          renew until 06/05/14 11:28:30
> 
> Home Directory gets mounted by autofs through sssd but user:group is both nobody.
> 
> The Client's sssd.conf:
> 
> [domain/linux.home]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linux.home
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = client.linux.home
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa.linux.home
> ldap_tls_cacert = /etc/ipa/ca.crt
> autofs_provider = ipa
> ipa_automount_location = default
> subdomains_provider = ipa
> [sssd]
> services = nss, pam, autofs, ssh
> config_file_version = 2
> 
> domains = linux.home
> [nss]
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> 
> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [mailto:freeipa-users-bounces at redhat.com]<mailto:[mailto:freeipa-users-bounces at redhat.com]> On Behalf Of Dmitri Pal
> Sent: Tuesday, June 03, 2014 6:48 PM
> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> 
> On 06/03/2014 09:07 AM, Johan Petersson wrote:
> Hi,
> 
> Environment:
> 
> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
> RHEL 7 NFS Server
> RHEL 7 Client
> 
> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA.
> I have created a NFS share /home/adexample.org and use autofs map in IPA.
> All wbinfo tests works as well as id.
> I can login fine through SSH and Shell with adtest at adexample.org<mailto:adtest at adexample.org>
> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner.
> Are those computers RHEL7 NFS clients with SSSD?
> Can you describe them in more details please?
> 
> Groups are no problem since AD groups can be mapped to Posix groups.
> 
> Idmap.conf domain is set to the IPA Domain.
> 
> Is there some way to get NFS working with the AD user as owner of his Home Directory?
> 
> Thanks for any help.
> 
> 
> This e-mail is private and confidential between the sender and the addressee.
> In the event of misdirection, the recipient is prohibited from using, copying or
> disseminating it or any information in it. Please notify the above if any misdirection.
> 
> 
> 
> _______________________________________________
> 
> Freeipa-users mailing list
> 
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> 
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
> --
> 
> Thank you,
> 
> Dmitri Pal
> 
> 
> 
> Sr. Engineering Manager IdM portfolio
> 
> Red Hat, Inc.

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list