On 3/17/2018 12:43 AM, TomK wrote:
> On 3/16/2018 3:20 PM, Rob Crittenden via FreeIPA-users wrote:
>> TomK wrote:
>>> On 3/15/2018 11:06 AM, Rob Crittenden wrote:
>>>> TomK wrote:
>>>>> On 3/12/2018 11:25 AM, Rob Crittenden wrote:
>>>>>> TomK wrote:
>>>>>>> On 3/7/2018 1:11 PM, Rob Crittenden wrote:
>>>>>>> Hey Rob,
>>>>>>>
>>>>>>> When starting idmapd or stopping it, logs on the LDAP server
don't
>>>>>>> change. But UID and GID's change to nfsnobody when I set
>>>>>>> Nobody-User
>>>>>>> and Nobody-Group to nfsnobody in /etc/idmapd.conf .
>>>>>>
>>>>>> I don't know that merely restarting the service is going to
spark
>>>>>> queries against LDAP. You'd probably need to do something to
provoke
>>>>>> that (like doing an ls).
>>>>> Nothing. Once at restart of the host do I see something from ls
>>>>> but on
>>>>> second execution of ls or any type of directory interaction, nothing
>>>>> happens. Then it repeats randomly.
>>>>
>>>> Can you expand on this? What are you seeing on the client side? What
>>>> queries do you see in LDAP related to the request (any?) Remember that
>>>> the 389-ds access log is buffered so it can take up to 30 seconds for
>>>> the logs to update.
>>>>
>>>> rob
>>>>
>>>
>>> Got it. Here is the 389-ds log at the same time as the client prints
>>> these nfsidmap messages:
>>>
>>> [ CLIENT ]
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: key: 0x3b3559c4 type: uid
>>> value: tom@my.dom(a)localdomain timeout 600
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
>>> umich_ldap->name_to_uid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
>>> umich_ldap->name_to_uid returned -2
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
>>> nsswitch->name_to_uid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
>>> 'tom@my.dom(a)localdomain' domain 'nix.my.dom': resulting
localname
>>> '(null)'
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
>>> 'tom@my.dom(a)localdomain' does not map into domain
'nix.my.dom'
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
>>> nsswitch->name_to_uid returned -22
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final
>>> return value is -22
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
>>> umich_ldap->name_to_uid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
>>> umich_ldap->name_to_uid returned -2
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
>>> nsswitch->name_to_uid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
>>> 'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting localname
'nobody'
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
>>> nsswitch->name_to_uid returned 0
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final
>>> return value is 0
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: key: 0x3140cc17 type: gid
>>> value: tom@my.dom(a)localdomain timeout 600
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
>>> umich_ldap->name_to_gid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
>>> umich_ldap->name_to_gid returned -2
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
>>> nsswitch->name_to_gid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
>>> nsswitch->name_to_gid returned -22
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final
>>> return value is -22
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
>>> umich_ldap->name_to_gid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
>>> umich_ldap->name_to_gid returned -2
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
>>> nsswitch->name_to_gid
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
>>> nsswitch->name_to_gid returned 0
>>> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final
>>> return value is 0
>>>
>>>
>>>
>>>
>>>
>>> [ IPA MASTER ]
>>> [15/Mar/2018:23:13:06.528045064 -0400] conn=69197 fd=260 slot=260
>>> connection from 192.168.0.236 to 192.168.0.44
>>> [15/Mar/2018:23:13:06.528983720 -0400] conn=69197 op=0 SRCH
>>> base="DC=NIX,DC=MY,DC=DOM" scope=2
>>>
filter="(&(objectClass=NFSv4RemotePerson)(nfsv4name=tom@my.dom(a)localdomain))"
>>>
>>> attrs="uidNumber gidNumber"
>>> [15/Mar/2018:23:13:06.529512979 -0400] conn=69197 op=0 RESULT err=0
>>> tag=101 nentries=0 etime=0
>>> [15/Mar/2018:23:13:06.529825586 -0400] conn=69197 op=1 UNBIND
>>> [15/Mar/2018:23:13:06.529853432 -0400] conn=69197 op=1 fd=260 closed
>>> - U1
>>> [15/Mar/2018:23:13:06.531031559 -0400] conn=69198 fd=263 slot=263
>>> connection from 192.168.0.236 to 192.168.0.44
>>> [15/Mar/2018:23:13:06.531453140 -0400] conn=69198 op=0 SRCH
>>> base="DC=NIX,DC=MY,DC=DOM" scope=2
>>>
filter="(&(objectClass=NFSv4RemotePerson)(nfsv4name=nobody(a)nix.my.dom))"
>>>
>>> attrs="uidNumber gidNumber"
>>> [15/Mar/2018:23:13:06.531856184 -0400] conn=69198 op=0 RESULT err=0
>>> tag=101 nentries=0 etime=0
>>> [15/Mar/2018:23:13:06.532153498 -0400] conn=69198 op=1 UNBIND
>>> [15/Mar/2018:23:13:06.532179628 -0400] conn=69198 op=1 fd=263 closed
>>> - U1
>>> [15/Mar/2018:23:13:06.546316517 -0400] conn=69199 fd=264 slot=264
>>> connection from 192.168.0.236 to 192.168.0.44
>>> [15/Mar/2018:23:13:06.546763006 -0400] conn=69199 op=0 SRCH
>>> base="DC=NIX,DC=MY,DC=DOM" scope=2
>>>
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=tom@my.dom(a)localdomain))"
>>>
>>> attrs="uidNumber gidNumber"
>>> [15/Mar/2018:23:13:06.547118926 -0400] conn=69199 op=0 RESULT err=0
>>> tag=101 nentries=0 etime=0
>>
>> Ok I have zero experience with nfsidmap over LDAP but a few
>> observations:
>>
>> - Your search base is wrong. For users it should
>> cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
>> - It is searching on a non-existent objectclass From what I can tell you
>> need to set
>> NFSv4_person_objectclass=posixaccount
>> NFSv4_name_attr=uid
>>
>> An alternate thing to try is to set Method=sss instead of umich_ldap and
>> see if that helps.
>>
>> rob
>
> Thanks Rob. But unfortunately none of those did the trick.
>
> [General]
> Verbosity = 9
> Local-Realms = NIX.MY.DOM,MY.DOM
> Domain = nix.my.dom
> [Mapping]
> [Translation]
> Method = sss,umich_ldap,nsswitch,static
> GSS-Methods = sss,umich_ldap,nsswitch,static
> [Static]
> [UMICH_SCHEMA]
> LDAP_server = idmipa01.nix.my.dom
> LDAP_base = cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
> LDAP_people_base = DC=NIX,DC=MY,DC=DOM
> LDAP_group_base = DC=NIX,DC=MY,DC=DOM
> NFSv4_person_objectclass = posixaccount
> NFSv4_name_attr = uid
>
> Well the weekend's here though so maybe I can spend a little more time
> focusing on this and finally get it solved. The tip to use sss as the
> Method was great and I aslo added it to the GSS-Methods as well but no
> luck. The fact that localdomain even appears in the logs bothers me.
> I don't think it should given the Domain is set correctly in the
> /etc/idmapd.conf file.
>
>
I'm using NFS Ganesha for my NFS mounts ( It's a user space version of
NFS. ) However, they don't need the idmapd service running and load
only the idmapd libraries.
But the default value for the Domain in the idmapd libraries is
localdomain and perhaps that's why it keeps showing up even though I
explicitly set the Domain = nix.my.dom .
https://github.com/Distrotech/libnfsidmap/blob/distrotech-libnfsidmap/lib...
[root@ipaclient01 ~]# strings /lib64/libnfsidmap.so.0|grep domain
nfs4_get_default_domain
Unable to determine a default nfsv4 domain; consider specifying one in
idmapd.conf
libnfsidmap: Unable to determine the NFSv4 domain; Using '%s' as the
NFSv4 domain which means UIDs will be mapped to the 'Nobody-Use r' user
defined in %s
libnfsidmap: using%s domain: %s
localdomain
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]# strings /lib64/libnfsidmap.so.0.3.0|grep domain
nfs4_get_default_domain
Unable to determine a default nfsv4 domain; consider specifying one in
idmapd.conf
libnfsidmap: Unable to determine the NFSv4 domain; Using '%s' as the
NFSv4 domain which means UIDs will be mapped to the 'Nobody-User' user
defined in %s
libnfsidmap: using%s domain: %s
localdomain
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/nsswitch.so | grep domain
get_default_domain
nss_getpwnam: name '%s' domain '%s': resulting localname '%s'
nss_getpwnam: name '%s' does not map into domain '%s'
nss_getpwnam: name '%s' not found in domain '%s'
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]#
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/static.so|grep -i domain
[root@ipaclient01 ~]# strings /lib64/libnfsidmap/umich_ldap.so|grep -i
domain
[root@ipaclient01 ~]#
And perhaps that's why things don't work. Guess I'll see how all this
works with the built in Kernel NFS module.
>>
>>> [15/Mar/2018:23:13:06.547419820 -0400] conn=69199 op=1 UNBIND
>>> [15/Mar/2018:23:13:06.547446724 -0400] conn=69199 op=1 fd=264 closed
>>> - U1
>>> [15/Mar/2018:23:13:06.550193388 -0400] conn=69200 fd=265 slot=265
>>> connection from 192.168.0.236 to 192.168.0.44
>>> [15/Mar/2018:23:13:06.550580770 -0400] conn=69200 op=0 SRCH
>>> base="DC=NIX,DC=MY,DC=DOM" scope=2
>>>
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=nobody(a)nix.my.dom))"
>>> attrs="uidNumber gidNumber"
>>> [15/Mar/2018:23:13:06.550933518 -0400] conn=69200 op=0 RESULT err=0
>>> tag=101 nentries=0 etime=0
>>> [15/Mar/2018:23:13:06.551220517 -0400] conn=69200 op=1 UNBIND
>>> [15/Mar/2018:23:13:06.551284941 -0400] conn=69200 op=1 fd=265 closed
>>> - U1
>>> [15/Mar/2018:23:13:06.580266816 -0400] conn=69191 op=8 SRCH
>>> base="cn=Default Trust
View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
>>> scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))"
attrs=ALL
>>> [15/Mar/2018:23:13:06.580664050 -0400] conn=69191 op=8 RESULT err=0
>>> tag=101 nentries=0 etime=0
>>> [15/Mar/2018:23:13:06.581138601 -0400] conn=69191 op=9 EXT
>>> oid="2.16.840.1.113730.3.8.10.4.1" name="IPA trusted domain ID
mapper"
>>> [15/Mar/2018:23:13:06.585652291 -0400] conn=69180 op=5 SRCH
>>> base="cn=Default Trust
View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
>>> scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))"
attrs=ALL
>>> [15/Mar/2018:23:13:06.585897291 -0400] conn=69180 op=5 RESULT err=0
>>> tag=101 nentries=0 etime=0
>>> [15/Mar/2018:23:13:06.610226668 -0400] conn=9 op=99467 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my.dom@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my.dom@NIX.MY.DOM)))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.611043926 -0400] conn=9 op=99467 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.611343977 -0400] conn=9 op=99468 SRCH
>>> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
>>> filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife
>>> krbMaxRenewableAge krbTicketFlags"
>>> [15/Mar/2018:23:13:06.611511419 -0400] conn=9 op=99468 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.611781846 -0400] conn=9 op=99469 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NIX.MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/NIX.MY.DOM@NIX.MY.DOM)))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.612369061 -0400] conn=9 op=99469 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.612710359 -0400] conn=9 op=99470 SRCH
>>> base="cn=Default Host Password
>>> Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
>>> filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
>>> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
>>> krbPwdFailureCountInterval krbPwdLockoutDuration"
>>> [15/Mar/2018:23:13:06.612874801 -0400] conn=9 op=99470 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.614845128 -0400] conn=8 op=338424 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my.dom@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my.dom@NIX.MY.DOM)))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.615299624 -0400] conn=8 op=338424 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.615585618 -0400] conn=8 op=338425 SRCH
>>> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
>>> filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife
>>> krbMaxRenewableAge krbTicketFlags"
>>> [15/Mar/2018:23:13:06.615741765 -0400] conn=8 op=338425 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.616016867 -0400] conn=8 op=338426 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NIX.MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/NIX.MY.DOM@NIX.MY.DOM)))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.616474488 -0400] conn=8 op=338426 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.616734155 -0400] conn=8 op=338427 SRCH
>>> base="cn=Default Host Password
>>> Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
>>> filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
>>> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
>>> krbPwdFailureCountInterval krbPwdLockoutDuration"
>>> [15/Mar/2018:23:13:06.616891114 -0400] conn=8 op=338427 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.617275452 -0400] conn=8 op=338428 SRCH
>>>
base="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom"
>>>
>>> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn
fqdn
>>> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
>>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>> krbPrincipalType krbLastPwdChange krbPrincipalAliases
>>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
>>> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
>>> ipaNTHomeDirectoryDrive"
>>> [15/Mar/2018:23:13:06.619766808 -0400] conn=8 op=338428 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.619940264 -0400] conn=8 op=338429 SRCH
>>>
base="cn=idmipa01.nix.my.dom,cn=masters,cn=ipa,cn=etc,dc=nix,dc=my,dc=dom"
>>>
>>> scope=0 filter="(objectClass=*)" attrs=ALL
>>> [15/Mar/2018:23:13:06.620166400 -0400] conn=8 op=338429 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.620841171 -0400] conn=8 op=338430 MOD
>>>
dn="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom"
>>>
>>> [15/Mar/2018:23:13:06.627304715 -0400] conn=8 op=338430 RESULT err=0
>>> tag=103 nentries=0 etime=0 csn=5aab36ca000000040000
>>> [15/Mar/2018:23:13:06.635192361 -0400] conn=9 op=99471 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NIX.MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/NIX.MY.DOM@NIX.MY.DOM)))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.635734053 -0400] conn=9 op=99471 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.636355108 -0400] conn=9 op=99472 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/MY.DOM@NIX.MY.DOM)))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.636934738 -0400] conn=9 op=99472 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.637192683 -0400] conn=9 op=99473 SRCH
>>> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
>>> filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife
>>> krbMaxRenewableAge krbTicketFlags"
>>> [15/Mar/2018:23:13:06.637329793 -0400] conn=9 op=99473 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.637651311 -0400] conn=9 op=99474 SRCH
>>> base="dc=nix,dc=my,dc=dom" scope=2
>>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/idmipa01.nix.my.dom(a)NIX.MY.DOM))"
>>>
>>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>>> ipatokenRadiusConfigLink objectClass"
>>> [15/Mar/2018:23:13:06.638056445 -0400] conn=9 op=99474 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>> [15/Mar/2018:23:13:06.638324542 -0400] conn=9 op=99475 SRCH
>>> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
>>> filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife
>>> krbMaxRenewableAge krbTicketFlags"
>>> [15/Mar/2018:23:13:06.638461582 -0400] conn=9 op=99475 RESULT err=0
>>> tag=101 nentries=1 etime=0
>>>
>>>
>>>
>>> Cheers,
>>> Tom
>>>
>>>>>>
>>>>>>> [General]
>>>>>>> Verbosity = 9
>>>>>>> Domain = nix.my.dom
>>>>>>> [Mapping]
>>>>>>> Nobody-User = nfsnobody
>>>>>>> Nobody-Group = nfsnobody
>>>>>>> [Translation]
>>>>>>> [Static]
>>>>>>> [UMICH_SCHEMA]
>>>>>>> LDAP_server = idmipa01.nix.my.dom
>>>>>>> LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM
>>>>>>> LDAP_people_base = DC=NIX,DC=MY,DC=DOM
>>>>>>> LDAP_group_base = DC=NIX,DC=MY,DC=DOM
>>>>>>
>>>>>> The people basedn should probably be cn=users,cn=accounts,... and
>>>>>> the
>>>>>> group base cn=groups,cn=accounts,... Unles it cleverly smashes
that
>>>>>> together with LDAP_base, I'm not sure what it does. The
389-ds
>>>>>> access
>>>>>> logs will tell you if it is trying at all (note the logs are
>>>>>> write-buffered so you won't see immediate updates).
>>>>>>
>>>>>> If you have compat enabled then idmapd may be getting multiple
>>>>>> entries,
>>>>>> one from cn=compat and one from the main tree and that could be
>>>>>> confusing it.
>>>>> No difference. Even the IP defined users are having this issue.
>>>>>
>>>>> However, and this may be a very dumb question, but you raised 389-ds
>>>>> logs. I'm using IPA Server, not 389-ds unless you're
implying I may
>>>>> need packages? The IPA servers come with 389-ds-base installed
>>>>> but do I
>>>>> need this or something else on the IPA clients as well?
>>>>>
>>>>> In the existing IPA logs, no other log entries corrolate with the
>>>>> nfsidmapd messages on the client.
>>>>>
>>>>> Method = umich_ldap,nsswitch,static
>>>>> GSS-Methods = umich_ldap,nsswitch,static
>>>>>
>>>>> However it still lists:
>>>>>
>>>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>>>> user_dn : <not-supplied>
>>>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>>>> passwd : <not-supplied>
>>>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>>>> use_ssl : no
>>>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>>>> ca_cert : <not-supplied>
>>>>>
>>>>> and I'm not sure what variables idmapd.conf uses for password and
>>>>> user.
>>>>> Still, I've left the LAB KDC open so no users and passes are
>>>>> needed for
>>>>> simple lookups.
>>>>>
>>>>> After setting the above, the messages in the logs changed slightly:
>>>>>
>>>>> Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user
>>>>> tomk.
>>>>> Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk.
>>>>> Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user
tomk.
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
>>>>> value: tomk@localdomain timeout 600
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
calling
>>>>> umich_ldap->name_to_uid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind:
>>>>> version
>>>>> mismatch between API information and protocol version. Setting
>>>>> protocol
>>>>> version to 3
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>>>> umich_ldap->name_to_uid returned -2
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
calling
>>>>> nsswitch->name_to_uid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
>>>>> 'tomk@localdomain' domain 'nix.my.dom': resulting
localname '(null)'
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
>>>>> 'tomk@localdomain' does not map into domain
'nix.my.dom'
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>>>> nsswitch->name_to_uid returned -22
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
>>>>> return value is -22
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
calling
>>>>> umich_ldap->name_to_uid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind:
>>>>> version
>>>>> mismatch between API information and protocol version. Setting
>>>>> protocol
>>>>> version to 3
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>>>> umich_ldap->name_to_uid returned -2
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
calling
>>>>> nsswitch->name_to_uid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
>>>>> 'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting
localname 'nobody'
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>>>> nsswitch->name_to_uid returned 0
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
>>>>> return value is 0
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type:
gid
>>>>> value: tomk@localdomain timeout 600
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
calling
>>>>> umich_ldap->name_to_gid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind:
>>>>> version
>>>>> mismatch between API information and protocol version. Setting
>>>>> protocol
>>>>> version to 3
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>>>> umich_ldap->name_to_gid returned -2
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
calling
>>>>> nsswitch->name_to_gid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>>>> nsswitch->name_to_gid returned -22
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
>>>>> return value is -22
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
calling
>>>>> umich_ldap->name_to_gid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind:
>>>>> version
>>>>> mismatch between API information and protocol version. Setting
>>>>> protocol
>>>>> version to 3
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>>>> umich_ldap->name_to_gid returned -2
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
calling
>>>>> nsswitch->name_to_gid
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>>>> nsswitch->name_to_gid returned 0
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
>>>>> return value is 0
>>>>>
>>>>> (Port 389 between client and server are open.) Seems like the line:
>>>>>
>>>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
>>>>> value: tomk@localdomain timeout 600
>>>>>
>>>>> might be to blame. It's the first line that shows localdomain,
>>>>> but it
>>>>> should not. My hosts file:
>>>>>
>>>>> [root@ipaclient01 ~]# cat /etc/hosts
>>>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>>>> localhost4.localdomain4
>>>>> ::1 localhost localhost.localdomain localhost6
>>>>> localhost6.localdomain6
>>>>> 192.168.0.236 ipaclient01.nix.my.dom ipaclient01
>>>>> [root@ipaclient01 ~]#
>>>>>
>>>>> Guessing key get's it's info from /etc/hosts directly and I
should
>>>>> look
>>>>> at that?
>>>>>
>>>>> Cheers,
>>>>> Tom
>>>>>
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Tom
>>>>>>>
>>>>>>>> TomK via FreeIPA-users wrote:
>>>>>>>>> Hey Guy's,
>>>>>>>>>
>>>>>>>>> Getting below message which in turn fails to list
proper UID /
>>>>>>>>> GID on
>>>>>>>>> NFSv4 mounts from within an unprivileged account. All
files
>>>>>>>>> show up
>>>>>>>>> with
>>>>>>>>> owner and group as nobody / nobody when viewed from
the client.
>>>>>>>>>
>>>>>>>>> Is there a way to structure /etc/idmapd.conf to allow
for proper
>>>>>>>>> UID /
>>>>>>>>> GID resolution? Or perhaps another solution?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [root@client01 etc]# cat /etc/idmapd.conf|grep -v
"#"| sed -e
>>>>>>>>> "/^$/d"
>>>>>>>>> [General]
>>>>>>>>> Verbosity = 7
>>>>>>>>> Domain = nix.my.dom
>>>>>>>>> [Mapping]
>>>>>>>>> [Translation]
>>>>>>>>> [Static]
>>>>>>>>> [UMICH_SCHEMA]
>>>>>>>>> LDAP_server =
ldap-server.local.domain.edu
>>>>>>>>> LDAP_base = dc=local,dc=domain,dc=edu
>>>>>>>>> [root@client01 etc]#
>>>>>>>>>
>>>>>>>>> Mount looks like this:
>>>>>>>>>
>>>>>>>>> nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
>>>>>>>>>
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> /var/log/messages
>>>>>>>>>
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: key:
0x3f2c257b
>>>>>>>>> type: uid
>>>>>>>>> value: tom@my.dom(a)localdomain timeout 600
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nfs4_name_to_uid:
>>>>>>>>> calling
>>>>>>>>> nsswitch->name_to_uid
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nss_getpwnam: name
>>>>>>>>> 'tom@my.dom(a)localdomain' domain
'nix.my.dom': resulting localname
>>>>>>>>> '(null)'
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nss_getpwnam: name
>>>>>>>>> 'tom@my.dom(a)localdomain' does not map into
domain 'nix.my.dom'
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nfs4_name_to_uid:
>>>>>>>>> nsswitch->name_to_uid returned -22
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nfs4_name_to_uid: final
>>>>>>>>> return
>>>>>>>>> value is -22
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nfs4_name_to_uid:
>>>>>>>>> calling
>>>>>>>>> nsswitch->name_to_uid
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nss_getpwnam: name
>>>>>>>>> 'nobody(a)nix.my.dom' domain
'nix.my.dom': resulting localname
>>>>>>>>> 'nobody'
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nfs4_name_to_uid:
>>>>>>>>> nsswitch->name_to_uid returned 0
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]:
nfs4_name_to_uid: final
>>>>>>>>> return
>>>>>>>>> value is 0
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: key:
0x324b0048
>>>>>>>>> type: gid
>>>>>>>>> value: tom@my.dom(a)localdomain timeout 600
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid:
>>>>>>>>> calling
>>>>>>>>> nsswitch->name_to_gid
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid:
>>>>>>>>> nsswitch->name_to_gid returned -22
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid: final
>>>>>>>>> return
>>>>>>>>> value is -22
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid:
>>>>>>>>> calling
>>>>>>>>> nsswitch->name_to_gid
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid:
>>>>>>>>> nsswitch->name_to_gid returned 0
>>>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]:
nfs4_name_to_gid: final
>>>>>>>>> return
>>>>>>>>> value is 0
>>>>>>>>> Mar 6 00:17:31 client01 systemd-logind: Removed
session 23.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Result of:
>>>>>>>>>
>>>>>>>>> systemctl restart rpcidmapd
>>>>>>>>>
>>>>>>>>> /var/log/messages
>>>>>>>>> -------------------
>>>>>>>>> Mar 5 23:46:12 client01 systemd: Stopping Automounts
>>>>>>>>> filesystems on
>>>>>>>>> demand...
>>>>>>>>> Mar 5 23:46:13 client01 systemd: Stopped Automounts
>>>>>>>>> filesystems on
>>>>>>>>> demand.
>>>>>>>>> Mar 5 23:48:51 client01 systemd: Stopping NFSv4
ID-name mapping
>>>>>>>>> service...
>>>>>>>>> Mar 5 23:48:51 client01 systemd: Starting Preprocess
NFS
>>>>>>>>> configuration...
>>>>>>>>> Mar 5 23:48:51 client01 systemd: Started Preprocess
NFS
>>>>>>>>> configuration.
>>>>>>>>> Mar 5 23:48:51 client01 systemd: Starting NFSv4
ID-name mapping
>>>>>>>>> service...
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]:
libnfsidmap: using
>>>>>>>>> domain:
>>>>>>>>> nix.my.dom
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]:
libnfsidmap: Realms
>>>>>>>>> list:
>>>>>>>>> 'NIX.MY.DOM'
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd:
libnfsidmap:
>>>>>>>>> using
>>>>>>>>> domain: nix.my.dom
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd:
libnfsidmap:
>>>>>>>>> Realms
>>>>>>>>> list: 'NIX.MY.DOM'
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd:
libnfsidmap:
>>>>>>>>> loaded
>>>>>>>>> plugin /lib64/libnfsidmap/nsswitch.so for method
nsswitch
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]:
libnfsidmap: loaded
>>>>>>>>> plugin
>>>>>>>>> /lib64/libnfsidmap/nsswitch.so for method nsswitch
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]:
Expiration time is
>>>>>>>>> 600
>>>>>>>>> seconds.
>>>>>>>>> Mar 5 23:48:51 client01 systemd: Started NFSv4
ID-name mapping
>>>>>>>>> service.
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
>>>>>>>>> /proc/net/rpc/nfs4.nametoid/channel
>>>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
>>>>>>>>> /proc/net/rpc/nfs4.idtoname/channel
>>>>>>>>>
>>>>>>>>
>>>>>>>> You might be able to correlate that to the 389-ds access
log to
>>>>>>>> see
>>>>>>>> what
>>>>>>>> queries are being executed.
>>>>>>>>
>>>>>>>> You probably need to set LDAP_people_base and
LDAP_group_base as
>>>>>>>> well.
>>>>>>>>
>>>>>>>> I think ipa-client-automount only sets the Domain value
and
>>>>>>>> doesn't
>>>>>>>> configure the ldap section at all.
>>>>>>>>
>>>>>>>> rob
>>>>>>>> _______________________________________________
>>>>>>>> sssd-users mailing list --
sssd-users(a)lists.fedorahosted.org
>>>>>>>> To unsubscribe send an email to
>>>>>>>> sssd-users-leave(a)lists.fedorahosted.org
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> sssd-users-leave(a)lists.fedorahosted.org
>>>>
>>>
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>>
>
>
Solved.
Here's the solution in case it can help someone else.
To get a certain feature in NFS Ganesha, I had to compile the V2.6
release from source. When configuring to compile, idmapd support got
disabled since packages were missing:
libnfsidmap-devel-0.25-17.el7.x86_64
Installed the above package and recompiled with nfsidmap support enabled
and this issue went away. Users now show up properly off the NFS mount
on clients.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.