Yes, UID/GID permissions on server and client, are the same.
If I login with ssh to the server as 'long' with AD passwd and then change to the
homedir, no problem with permissions:
===============================
Ssh
jota.example.com -l long
long(a)jota.example.com's password:
Welcome to Ubuntu 13.10 (GNU/Linux 3.11.0-15-generic x86_64)
.....
Last login: Thu Feb 27 13:44:24 2014 from 10.80.8.246
long@jota:/$ pwd
long@jota:/$ pwd
/
long@jota:/nfs4/jota/long$ ls -l
total 8
-rw-r--r-- 1 long domain users 0 Mar 10 10:21 created_by_long_on_jota
drwxr-xr-x 2 long domain users 4096 Feb 27 13:46 created_on_jota
drwxr-xr-x 2 long domain users 4096 Feb 6 14:02 created_on_longina_nb
==============================
The problem with permissions and accessing homedir is only on the client.
This is output from krb5_child.log on the client. My principal name looks strange...and it
hits a fail (between stars)
================
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [validate_tgt] (0x0400): TGT
verified using key for [JEDI$(a)C.EXAMPLE.COM].
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [sss_child_krb5_trace_cb] (0x4000):
[31315] 1394442056.719259: Retrieving long(a)C.EXAMPLE.COM -> JEDI$(a)C.EXAMPLE.COM from
MEMORY:rd_req2 with result: 0/Success
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [sss_child_krb5_trace_cb] (0x4000):
[31315] 1394442056.719910: Retrieving JEDI$(a)C.EXAMPLE.COM from FILE:/etc/krb5.keytab (vno
5, enctype aes256-cts) with result: 0/Success
********
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[long\@C.EXAMPLE.COM(a)C.EXAMPLE.COM] might not be correct.
*********
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [sss_child_krb5_trace_cb] (0x4000):
[31315] 1394442056.720316: Destroying ccache MEMORY:rd_req2
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [become_user] (0x0200): Trying to
become user [332405654][332400513].
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [sss_get_ccache_name_for_principal]
(0x4000): Location: [FILE:/tmp/krb5cc_332405654_ZXQFRT]
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [sss_get_ccache_name_for_principal]
(0x4000): tmp_ccname: [FILE:/tmp/krb5cc_332405654_ZXQFRT]
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [create_ccache] (0x4000):
Initializing ccache of type [FILE]
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [pack_response_packet] (0x2000):
response packet size: [142]
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [k5c_send_data] (0x4000): Response
sent.
(Mon Mar 10 10:00:56 2014) [[sssd[krb5_child[31315]]]] [main] (0x0400): krb5_child
completed successfully
================
ON CLIENT:
root@jedi:/# getent passwd long
long:*:332405654:332400513:XXXXXX:/home/long:/bin/bash
on server:
root@jota:/# getent passwd long
longina:*:332405654:332400513:XXXXXX:/:/bin/bash
======================
Group membership with 'groups' command the same on both -:
root@jota:/nfs4/jota/long# groups long
long :
domain users
data-nat-nat-it-groupdrive
rw
imada-terminal-users
nat-it-outlook-admin
nat-terminal-users
dl-nat-it-staff
nat-it-ansatte
nat-it-ad-hoc
nat-pri-setcomputerdesc
nat-ctxusers
common_users
nat-lectures
dl-nat-it
nat-esignatur
nat-booking
nat-fnc-pri-setdiscription
terminal brugere
root@jedi:/var/log/sssd# groups long
long:
domain users
data-nat-nat-it-groupdrive
rw
imada-terminal-users
nat-terminal-users
dl-nat-it-staff
nat-it-ansatte
nat-it-ad-hoc
nat-it-outlook-admin
nat-ctxusers
common_users
nat-lectures
dl-nat-it
nat-booking
nat-esignatur
terminal brugere
nat-pri-setcomputerdesc
nat-fnc-pri-setdiscription
BEST
lONGINA
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Dmitri Pal
Sent: 7. marts 2014 16:32
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] sssd-1.11.1 Trusty automount nfs4+krb+sssd
On 03/07/2014 06:02 AM, Longina Przybyszewska wrote:
Hi again,
The pieces of the automount works almost... ;( My transition step
towards getting automount on login with 'autofs' as sssd service, looks like
that:
-I can authenticate with sssd and AD as id/access/auth_provider
- can login to machine from login GUI directly into local home
directory /Lshare/long
- here from, using cd /home/long activates automount; Directory is mounted, but user has
no permissions
to access it
- sssd on client is configured without 'autofs' service (as I have no sign of
automount nis-schema
In AD, even if there is installed SFU) -nsswitch says :
automount: files sss
If you are not using SSSD for delivering the maps then you do not need 'sss' here.
But this is not the problem you are seeing.
cat /proc/mounts:
/etc/auto.home /home autofs
rw,relatime,fd=13,pgrp=15088,timeout=300,minproto=5,maxproto=5,indirec
t 0 0 /etc/auto.nfs /nfs autofs
rw,relatime,fd=7,pgrp=15088,timeout=300,minproto=5,maxproto=5,indirect
0 0 /etc/auto.msshare /Mshare autofs
rw,relatime,fd=19,pgrp=15088,timeout=300,minproto=5,maxproto=5,indirec
t 0 0 jota.a.domain.com:/nfs4/jota/long /home/long nfs4
rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto
=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=10.80.8.91,local_
lock=none,addr=10.144.4.254 0 0
df -h shows ikke that mount.
Both , client and server run the same version of sssd-1.11.1, and user 'long' is
seen as a member of the same groups on both machines.
Does it have same UID/GID on both machines?
If I run as root on client 'cd /home/long', homdir is mounted:
cat /proc/mounts
/etc/auto.home /home autofs
rw,relatime,fd=13,pgrp=15088,timeout=300,minproto=5,maxproto=5,indirec
t 0 0 /etc/auto.nfs /nfs autofs
rw,relatime,fd=7,pgrp=15088,timeout=300,minproto=5,maxproto=5,indirect
0 0 /etc/auto.msshare /Mshare autofs
rw,relatime,fd=19,pgrp=15088,timeout=300,minproto=5,maxproto=5,indirec
t 0 0 jota.a.domain.com:/nfs4/jota/long /home/long nfs4
rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto
=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=10.80.8.91,local_
lock=none,addr=10.144.4.254 0 0
df -h
...
jota.a.domain.com:/nfs4/jota/long 1.8T 2.1G 1.7T 1% /home/long
Any ideas ?
Best
longina
Med venlig hilsen
Longina Przybyszewska
Systemprogrammør, IT-service
Tlf. +45 6550 2359
Mobil +45 6011 2359
Email longina(a)sdu.dk
Web
http://www.sdu.dk/ansat/longina
Adr. Campusvej 55, 5230 Odense M
SYDDANSK UNIVERSITET
_______________________________________________________________
Campusvej 55 * 5230 * Odense M * Tlf. +45 6550 1000 *
www.sdu.dk
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of
Longina Przybyszewska
Sent: 27. februar 2014 16:56
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] sssd-1.11.1 Trusty automount nfs4+krb+sssd
problem
Hi,
Ubuntu Saucy nfs4+krb+sssd server
Ubuntu Trusty client,sssd+autofs
I can manually mount directory (nfs4+krb) as root on the client.
Is it possible on client, use SSSD with autofs service, with automounter referring to
the flat files , /etc/auto.master ,/etc/auto.home, not to ldap?
How can I check if autofs delivered with distribution supports sssd?
Best
longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej
Valousek
Sent: 20. februar 2014 13:48
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb
problem)
Created BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1067423
attached is a patch resolving the issue.
Ondrej
________________________________________
From: sssd-users-bounces(a)lists.fedorahosted.org
[sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Simo Sorce
[simo(a)redhat.com]
Sent: Wednesday, February 19, 2014 7:35 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb
problem)
On Wed, 2014-02-19 at 15:04 +0000, Ondrej Valousek wrote:
> Hi Simo,
>
> I are you getting on about this with Steve?
This is the current situation:
<steved> simo: post a patch with what you want and lets talk about it....
:-)
> Would it be better to open a RFE for this? I would like to know where
> we are standing - whether there is any chance that RHEL6 will be
> fixed or it would only go to RHEL 7.
An RFE for RHEL7 would be nice.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users