[Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

Lukas Slebodnik lslebodn at redhat.com
Wed Jan 4 21:39:44 UTC 2017 

On (08/12/16 10:24), Bjarne Blichfeldt wrote:
>> -----Original Message-----
>> From: David Kupka [mailto:dkupka at redhat.com]
>> Sent: 8. december 2016 09:40
>> To: Bjarne Blichfeldt <BJB at jndata.dk>; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly
>> create users, however user id is correct
>> 
>> On 08/12/16 08:57, Bjarne Blichfeldt wrote:
>> > Anybody have any suggestion as how to continue debugging this? The nfs server
>> resolves usernames by loopkup in free-ipa lda.
>> >
>> > After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no idea if that
>> is relevant. Are there some update ldap procedure I am missing? Just in case I ran
>> a ipa-server-upgrade, which did not resolve the issue.
>> >
>> >
>:snip
>> >
>> >
>> 
>> Hello,
>> I'm almost sure that 'krbcanonicalname' has nothing to do with this.
>> Adding krbcanonicalname attribute was done to allow principal aliases (multiple
>> kerberos principals for one user/host/service), see [1] for details.
>> 
>> Unfortunately, I don't know what's wrong. SSSD is taking care of resolving users
>> and groups on enrolled systems. "id mgm" should output something like
>> "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly.
>> 
>> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
>> 
>> --
>> David Kupka
>
>Thank you for that info. That led me somewhat further by increasing the debug on sssd which led me to :
>
>Dec  8 10:42:48 client nfsidmap[6663]: key: 0xae72f5 type: uid value: mqm2 at REALM.COM timeout 600
>Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: calling nsswitch->name_to_uid
>Dec  8 10:42:48 client nfsidmap[6663]: nss_getpwnam: name 'mqm2 at REALM.COM' domain 'REALM.COM': resulting localname 'mqm2'
>Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
>Dec  8 10:42:48 client nfsidmap[6663]: nfs4_name_to_uid: final return value is 0
>
>Dec  8 10:42:48 client nfsidmap[6665]: key: 0xf56593 type: gid value: Null timeout 600
>                                                                                           ^^^^^^^^^
>Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: calling nsswitch->name_to_gid
>Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22
>Dec  8 10:42:48 client nfsidmap[6665]: nfs4_name_to_gid: final return value is -22Seems nfsidmap is not called with a gid value.
>
>It seems nfsidmap is not called with a proper gid.
>hm, the saga continues...
>
You might want to use sss nfsidmap plugin.
* set method in /etc/idmap.conf to sss
* restart nfsidmapd

BTW In fedora and sssd-1.14 + it is part of recomended
package sssd-nfs-idmap (weak dependency)
older versions and other distributions might have packages in sssd-common
   /usr/lib64/libnfsidmap/sss.so

LS

More information about the Freeipa-users mailing list