[Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

Bjarne Blichfeldt BJB at jndata.dk
Thu Dec 8 10:24:54 UTC 2016 

> -----Original Message-----
> From: David Kupka [mailto:dkupka at redhat.com]
> Sent: 8. december 2016 09:40
> To: Bjarne Blichfeldt <BJB at jndata.dk>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly
> create users, however user id is correct
> 
> On 08/12/16 08:57, Bjarne Blichfeldt wrote:
> > Anybody have any suggestion as how to continue debugging this? The nfs server
> resolves usernames by loopkup in free-ipa lda.
> >
> > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no idea if that
> is relevant. Are there some update ldap procedure I am missing? Just in case I ran
> a ipa-server-upgrade, which did not resolve the issue.
> >
> >
:snip
> >
> >
> 
> Hello,
> I'm almost sure that 'krbcanonicalname' has nothing to do with this.
> Adding krbcanonicalname attribute was done to allow principal aliases (multiple
> kerberos principals for one user/host/service), see [1] for details.
> 
> Unfortunately, I don't know what's wrong. SSSD is taking care of resolving users
> and groups on enrolled systems. "id mgm" should output something like
> "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly.
> 
> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> 
> --
> David Kupka

Thank you for that info. That led me somewhat further by increasing the debug on sssd which led me to :

Dec  8 10:42:48 client nfsidmap[6663]: key: 0xae72f5 type: uid value: mqm2 at REALM.COM timeout 600
Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Dec  8 10:42:48 client nfsidmap[6663]: nss_getpwnam: name 'mqm2 at REALM.COM' domain 'REALM.COM': resulting localname 'mqm2'
Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: final return value is 0

Dec  8 10:42:48 client nfsidmap[6665]: key: 0xf56593 type: gid value: Null timeout 600
                                                                                           ^^^^^^^^^
Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: calling nsswitch->name_to_gid
Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22
Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: final return value is -22Seems nfsidmap is not called with a gid value.

It seems nfsidmap is not called with a proper gid.
hm, the saga continues...

-- 
Regards
Bjarne Blichfeldt.

More information about the Freeipa-users mailing list