[Freeipa-users] IPA+AD trust and NFS nobody issue

Sumit Bose sbose at redhat.com
Fri Jun 27 08:00:39 UTC 2014 

On Thu, Jun 26, 2014 at 09:04:41PM +0000, Johan Petersson wrote:
> Hi,
> 
> First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7.  
> 
> The reason is that rpcidmapd` does not parse fully-qualified usernames so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work.
>  The client-side code is stripping the domain off based on the location of the first "@" character in the value returned by the server.  This results in UID/GID mappings failing and resulting in ownership on the clients of "nobody".

Thank you for the feedback. FYI there is a rpc.idmapd plugin for SSSD
(https://fedorahosted.org/sssd/wiki/DesignDocs/rpc.idmapd%20plugin)
currently under review
(https://lists.fedorahosted.org/pipermail/sssd-devel/2014-June/020384.html)

I'll try to find some time early next week to test if this will help
with your use-case.

bye,
Sumit

> 
> Regards,
> Johan
> 
> From: Dmitri Pal [dpal at redhat.com]
> Sent: Thursday, June 05, 2014 21:03
> To: Johan Petersson; Alexander Bokovoy
> Cc: Sumit Bose; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> 
> On 06/04/2014 09:57 AM, Johan Petersson wrote:
> > Yes the message is exactly like that with commas, I double checked.
> >
> > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  Local-Realms in idmap.conf might help?
> >
> > I did on all machines and got rid of that specific message but I still get user nobody unfortunately.
> >
> > Here are logs from when I did a su - adtest at AD.HOME@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
> >
> > Client:
> > Jun  4 15:30:13 client su: (to adtest at ad.home) linux on pts/0
> > Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest at ad.home@linux.home timeout 600
> > Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid
> > Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22
> > Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22
> > Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid
> > Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
> > Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0
> 
> Do we have a corresponding SSSD trace that shows the actual process of
> the resolution?
> 
> 
> >
> > NFS Server:
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0
> > Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "adtest at ad.home@linux.home"
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
> > Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0
> > Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "ad_users at linux.home"
> >
> > The group ad_users is a IPA group with external maps from AD Domain users.
> >
> > -----Original Message-----
> > From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> > Sent: Wednesday, June 04, 2014 3:14 PM
> > To: Johan Petersson
> > Cc: dpal at redhat.com; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> >
> > On Wed, 04 Jun 2014, Johan Petersson wrote:
> >> Mail got posted before I was finished sorry.
> >>
> >> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping.
> >>
> >> >From /var/log/messages:
> >>
> >> Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,'
> > Are you sure the message is exactly like this, with a comma after linux.home?
> >
> > The reason I'm asking is because the code that prints the message looks like this:
> >
> >          localname = strip_domain(name, domain);
> >          IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "
> >                    "resulting localname '%s'\n", name, domain, localname));
> >          if (localname == NULL) {
> >                  IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "
> >                          "into domain '%s'\n", name,
> >                          domain ? domain : "<not-provided>"));
> >                  goto err_free_buf;
> >          }
> >
> > note that it doesn't have comma anywhere in the string printed.
> >
> > Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be
> >
> > [general]
> >    Verbosity = 4
> >
> > in /etc/idmapd.conf
> >
> >
> >
> >>
> >> From: freeipa-users-bounces at redhat.com
> >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson
> >> Sent: Wednesday, June 04, 2014 12:02 PM
> >> To: dpal at redhat.com; freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> >>
> >> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
> >>
> >>
> >> server.ad.home = AD Server
> >> share.linux.home = NFS Server
> >> ipa.linux.home = IPA Server
> >> client.linux.home = Client
> >>
> >> NFS with automounted krb5p Home Directories work for IPA users.
> >>
> >> sssd-1.11.2-65.el7.x86_64
> >>
> >> id adtest at AD.HOME<mailto:adtest at AD.HOME>
> >> uid=497801107(adtest at ad.home<mailto:adtest at ad.home>)
> >> gid=497801107(adtest at ad.home<mailto:adtest at ad.home>)
> >> groups=497801107(adtest at ad.home),497800513(domain<mailto:adtest at ad.home
> >> ),497800513(domain> users at ad.home<mailto:users at ad.home>)
> >>
> >> getent passwd adtest at AD.HOME<mailto:adtest at AD.HOME>
> >> adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest<mailto:adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest>:
> >>
> >> klist after kinit adtest at AD.HOME<mailto:adtest at AD.HOME>
> >>
> >> [root at client ~]# klist -e
> >> Ticket cache: KEYRING:persistent:0:0
> >> Default principal: adtest at AD.HOME<mailto:adtest at AD.HOME>
> >>
> >> Valid starting     Expires            Service principal
> >> 06/04/14 11:28:35  06/04/14 21:28:35  krbtgt/AD.HOME at AD.HOME<mailto:krbtgt/AD.HOME at AD.HOME>
> >>          renew until 06/05/14 11:28:30, Etype (skey, tkt):
> >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> >>
> >> klist after ssh
> >> adtest at AD.HOME@ipa.linux.home<mailto:adtest at AD.HOME@ipa.linux.home>
> >>
> >> klist
> >> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
> >> Default principal: adtest at AD.HOME<mailto:adtest at AD.HOME>
> >>
> >> Valid starting     Expires            Service principal
> >> 06/04/14 11:35:16  06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME<mailto:nfs/share.linux.home at LINUX.HOME>
> >>          renew until 06/05/14 11:28:30
> >> 06/04/14 11:35:16  06/04/14 21:35:16  krbtgt/LINUX.HOME at AD.HOME<mailto:krbtgt/LINUX.HOME at AD.HOME>
> >>          renew until 06/05/14 11:28:30
> >> 06/04/14 11:28:35  06/04/14 21:35:16  krbtgt/AD.HOME at AD.HOME<mailto:krbtgt/AD.HOME at AD.HOME>
> >>          renew until 06/05/14 11:28:30
> >>
> >> Home Directory gets mounted by autofs through sssd but user:group is both nobody.
> >>
> >> The Client's sssd.conf:
> >>
> >> [domain/linux.home]
> >>
> >> cache_credentials = True
> >> krb5_store_password_if_offline = True
> >> ipa_domain = linux.home
> >> id_provider = ipa
> >> auth_provider = ipa
> >> access_provider = ipa
> >> ipa_hostname = client.linux.home
> >> chpass_provider = ipa
> >> ipa_dyndns_update = True
> >> ipa_server = _srv_, ipa.linux.home
> >> ldap_tls_cacert = /etc/ipa/ca.crt
> >> autofs_provider = ipa
> >> ipa_automount_location = default
> >> subdomains_provider = ipa
> >> [sssd]
> >> services = nss, pam, autofs, ssh
> >> config_file_version = 2
> >>
> >> domains = linux.home
> >> [nss]
> >>
> >> [pam]
> >>
> >> [sudo]
> >>
> >> [autofs]
> >>
> >> [ssh]
> >>
> >> [pac]
> >>
> >>
> >> From:
> >> freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.co
> >> m>
> >> [mailto:freeipa-users-bounces at redhat.com]<mailto:[mailto:freeipa-users-
> >> bounces at redhat.com]> On Behalf Of Dmitri Pal
> >> Sent: Tuesday, June 03, 2014 6:48 PM
> >> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
> >>
> >> On 06/03/2014 09:07 AM, Johan Petersson wrote:
> >> Hi,
> >>
> >> Environment:
> >>
> >> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7
> >> NFS Server RHEL 7 Client
> >>
> >> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA.
> >> I have created a NFS share /home/adexample.org and use autofs map in IPA.
> >> All wbinfo tests works as well as id.
> >> I can login fine through SSH and Shell with
> >> adtest at adexample.org<mailto:adtest at adexample.org>
> >> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner.
> >> Are those computers RHEL7 NFS clients with SSSD?
> >> Can you describe them in more details please?
> >>
> >> Groups are no problem since AD groups can be mapped to Posix groups.
> >>
> >> Idmap.conf domain is set to the IPA Domain.
> >>
> >> Is there some way to get NFS working with the AD user as owner of his Home Directory?
> >>
> >> Thanks for any help.
> >>
> >>
> >> This e-mail is private and confidential between the sender and the addressee.
> >> In the event of misdirection, the recipient is prohibited from using,
> >> copying or disseminating it or any information in it. Please notify the above if any misdirection.
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >> Freeipa-users mailing list
> >>
> >> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> >>
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>
> >>
> >> --
> >>
> >> Thank you,
> >>
> >> Dmitri Pal
> >>
> >>
> >>
> >> Sr. Engineering Manager IdM portfolio
> >>
> >> Red Hat, Inc.
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > --
> > / Alexander Bokovoy
> 
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>

More information about the Freeipa-users mailing list