<div dir="ltr"><div>idmap.conf for NFS Server: [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = <a href="http://local.domain.edu">local.domain.edu</a> # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that <user>@REALM.A can be assumed to # be the same user as <user>@REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = <alternate method list for translating GSS names> #-------------------------------------------------------------------# # The following are used only for the "static" Translation Method. #-------------------------------------------------------------------# #[Static] # A "static" list of GSS-Authenticated names to # local user name mappings #someuser@REALM = localuser #-------------------------------------------------------------------# # The following are used only for the "umich_ldap" Translation Method. #-------------------------------------------------------------------# #[UMICH_SCHEMA] # server information (REQUIRED) #LDAP_server = <a href="http://ldap-server.local.domain.edu">ldap-server.local.domain.edu</a> # the default search base (REQUIRED) #LDAP_base = dc=local,dc=domain,dc=edu #-----------------------------------------------------------# # The remaining options have defaults (as shown) # and are therefore not required. #-----------------------------------------------------------# # whether or not to perform canonicalization on the # name given as LDAP_server #LDAP_canonicalize_name = true # absolute search base for (people) accounts #LDAP_people_base = <LDAP_base> # absolute search base for groups #LDAP_group_base = <LDAP_base> # Set to true to enable SSL - anything else is not enabled #LDAP_use_ssl = false # You must specify a CA certificate location if you enable SSL #LDAP_ca_cert = /etc/ldapca.cert # Objectclass mapping information # Mapping for the person (account) object class #NFSv4_person_objectclass = NFSv4RemotePerson # Mapping for the nfsv4name attribute the person object #NFSv4_name_attr = NFSv4Name # Mapping for the UID number #NFSv4_uid_attr = UIDNumber # Mapping for the GSSAPI Principal name #GSS_principal_attr = GSSAuthName # Mapping for the account name attribute (usually uid) # The value for this attribute must match the value of # the group member attribute - NFSv4_member_attr #NFSv4_acctname_attr = uid # Mapping for the group object class #NFSv4_group_objectclass = NFSv4RemoteGroup # Mapping for the GID attribute #NFSv4_gid_attr = GIDNumber # Mapping for the Group NFSv4 name #NFSv4_group_attr = NFSv4Name # Mapping for the Group member attribute (usually memberUID) # The value of this attribute must match the value of NFSv4_acctname_attr #NFSv4_member_attr = memberUID </div>idmap.conf for client: [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = <a href="http://local.domain.edu">local.domain.edu</a> # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that <user>@REALM.A can be assumed to # be the same user as <user>@REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = <alternate method list for translating GSS names> #-------------------------------------------------------------------# # The following are used only for the "static" Translation Method. #-------------------------------------------------------------------# #[Static] # A "static" list of GSS-Authenticated names to # local user name mappings #someuser@REALM = localuser #-------------------------------------------------------------------# # The following are used only for the "umich_ldap" Translation Method. #-------------------------------------------------------------------# #[UMICH_SCHEMA] # server information (REQUIRED) #LDAP_server = <a href="http://ldap-server.local.domain.edu">ldap-server.local.domain.edu</a> # the default search base (REQUIRED) #LDAP_base = dc=local,dc=domain,dc=edu #-----------------------------------------------------------# # The remaining options have defaults (as shown) # and are therefore not required. #-----------------------------------------------------------# # whether or not to perform canonicalization on the # name given as LDAP_server #LDAP_canonicalize_name = true # absolute search base for (people) accounts #LDAP_people_base = <LDAP_base> # absolute search base for groups #LDAP_group_base = <LDAP_base> # Set to true to enable SSL - anything else is not enabled #LDAP_use_ssl = false # You must specify a CA certificate location if you enable SSL #LDAP_ca_cert = /etc/ldapca.cert # Objectclass mapping information # Mapping for the person (account) object class #NFSv4_person_objectclass = NFSv4RemotePerson # Mapping for the nfsv4name attribute the person object #NFSv4_name_attr = NFSv4Name # Mapping for the UID number #NFSv4_uid_attr = UIDNumber # Mapping for the GSSAPI Principal name #GSS_principal_attr = GSSAuthName # Mapping for the account name attribute (usually uid) # The value for this attribute must match the value of # the group member attribute - NFSv4_member_attr #NFSv4_acctname_attr = uid # Mapping for the group object class #NFSv4_group_objectclass = NFSv4RemoteGroup # Mapping for the GID attribute #NFSv4_gid_attr = GIDNumber # Mapping for the Group NFSv4 name #NFSv4_group_attr = NFSv4Name # Mapping for the Group member attribute (usually memberUID) # The value of this attribute must match the value of NFSv4_acctname_attr #NFSv4_member_attr = memberUID Domain=<a href="http://freeipa.my.ca">freeipa.my.ca</a> </div><div class="gmail_extra"> <div class="gmail_quote">On 30 September 2015 at 09:08, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 30 Sep 2015, Sadettin Albasan wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Alexander, Currently; FreeIPA 7.1 (Centos) Client 6.6 (Centos) NFS 6.6 (Centos) + Samba 3.6 I have also samba file sharing running on NFS server which shares home directories to windows users as well. So NFS server is joined to windows domain as well as FreeIPA domain. </blockquote> CentOS 6.6 should have nfsidmap fixes needed to support AD users via IPA-AD trust. However, I don't see your configuration for nfs idmap.conf on both client and NFS server. -- / Alexander Bokovoy </blockquote></div> </div>