Hi,
I have an issue where the /etc/krb5.conf [libdefaults] default_realm does not seem to be mapped successfully by
rpc.idmapd. When I change the idmapd.conf [General] Domain to be the same as the kerberos realm (uppercase
domain) I can successfully map the uid, but never see the gid map to anything other than nobody. This is using
NFS4, kerberos, pam_krb5, pam_ldap, nss-pam-ldapd, LDAPS with Active Directory 2008 R2 and NetApp storage. This
is reproducible across a number of distributions including Red Hat Enterprise Linux 6.1, Fedora Core 14 & 15, Ubuntu
10.04.
In summary:
rpc.idmapd: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' does not map into domain 'domain.com'
Option 1: Lowercase Domain
/etc/idmapd.conf
[General]
Domain = domain.com
Local-Realms = DOMAIN.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
# rpc.idmapd -f -vvv
rpc.idmapd: libnfsidmap: using domain: domain.com
rpc.idmapd: libnfsidmap: Realms list: 'DOMAIN.COM'
rpc.idmapd: libnfsidmap: processing 'Method' list
rpc.idmapd: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch
rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: New client: 12
rpc.idmapd: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt12/idmap
rpc.idmapd: New client: 13
rpc.idmapd: nss_getpwnam: name 'root@xxxxxxxxxx' does not map into domain 'domain.com'
rpc.idmapd: Client 12: (user) name "root@xxxxxxxxxx" -> id "99"
rpc.idmapd: New client: 14
rpc.idmapd: Client 12: (group) name "daemon@xxxxxxxxxx" -> id "99"
rpc.idmapd: Stale client: 13
rpc.idmapd: -> closed /var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap
rpc.idmapd: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' does not map into domain 'domain.com'
rpc.idmapd: Client 12: (user) name "jmorrison@xxxxxxxxxx" -> id "99"
ssh as domain user:
$ ls -al
total 96
drwx------. 21 nobody nobody 4096 Oct 17 13:01 .
drwx------. 3 nobody nobody 4096 Oct 6 08:59 ..
-rwx------. 1 nobody nobody 149 Oct 17 14:50 .bash_history
drwx------. 3 nobody nobody 4096 Oct 17 09:41 .cache
drwx------. 4 nobody nobody 4096 Oct 17 09:36 .config
Option 2: Uppercase domain (matching kerberos realm)
/etc/idmapd.conf
[General]
Domain = DOMAIN.COM
Local-Realms = DOMAIN.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
# rpc.idmapd -f -vvv
rpc.idmapd: libnfsidmap: using domain: DOMAIN.COM
rpc.idmapd: libnfsidmap: Realms list: 'DOMAIN.COM'
rpc.idmapd: libnfsidmap: processing 'Method' list
rpc.idmapd: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch
rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: New client: 9
rpc.idmapd: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt9/idmap
rpc.idmapd: New client: a
rpc.idmapd: Client 9: (user) name "root@xxxxxxxxxx" -> id "0"
rpc.idmapd: Client 9: (group) name "nobody" -> id "99"
rpc.idmapd: New client: b
rpc.idmapd: Client 9: (group) name "daemon@xxxxxxxxxx" -> id "2"
rpc.idmapd: Stale client: a
rpc.idmapd: -> closed /var/lib/nfs/rpc_pipefs//nfs/clnta/idmap
rpc.idmapd: Client 9: (user) name "jmorrison@xxxxxxxxxx" -> id "20002"
^C
ssh as domain user:
$ ls -al
total 96
drwx------. 21 root daemon 4096 Oct 17 13:01 .
drwx------. 3 root daemon 4096 Oct 6 08:59 ..
-rwx------. 1 jmorrison nobody 149 Oct 17 14:50 .bash_history
drwx------. 3 jmorrison nobody 4096 Oct 17 09:41 .cache
drwx------. 4 jmorrison nobody 4096 Oct 17 09:36 .config
Other configuration
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
allow_weak_crypto = true
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.COM = {
kdc = domain.com
admin_server = domain.com
default_domain = DOMAIN.COM
}
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files
aliases: files nisplus
LDAP lookups working
# getent passwd jmorrison
jmorrison:*:20002:10000:Jamie Morrison:/home/uniwa/autres/autresx/jmorrison:/bin/sh
# getent group All-Staff
All-Staff:*:10000:jmorrison
# id jmorrison
uid=20002(jmorrison) gid=10000(All-Staff) groups=10000(All-Staff),99008(jmorrisongroup),10002(All-Autres),99043
(All-Autresx)
/home/uniwa/autres mounted via autofs
Please let me know if there are any other details or config you require. Apologies if this is the wrong list for this.
Regards,
Jamie Morrison.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
