RE: idmapd not mapping realm to domain and not resolving gid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



One step further... the NetApp options nfs.v4.id.domain had been entered in uppercase.

Then although gssd gets the right uid, idmapd calls nss_getpwnam twice and fails to get the correct uid

Oct 19 15:08:04 rhel61 rpc.idmapd[1595]: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' domain 'domain.com': resulting localname 'jmorrison'
Oct 19 15:08:04 rhel61 rpc.idmapd[1595]: nss_getpwnam: name 'jmorrison' not found in domain 'domain.com'

This was resolved via the following setting in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500778

/etc/idmapd.conf
[General]
Cache-Expiration = 10

Now I'm just left with the gid not resolving:

Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' domain 'domain.com': resulting localname 'jmorrison'
Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nfs4_name_to_uid: final return value is 0
Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: Client 0: (user) name "jmorrison@xxxxxxxxxx" -> id "20002"
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_uid_to_name: final return value is 0
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: Client 0: (user) id "20002" -> name "jmorrison@xxxxxxxxxx"
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_gid_to_name: calling nsswitch->gid_to_name
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_gid_to_name: final return value is 0
Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: Client 0: (group) id "99" -> name "nobody@xxxxxxxxxx"

$ ls -l
total 32
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Desktop
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Documents
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Downloads
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Music
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Pictures
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Public
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Templates
drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Videos

Any help appreciated.

Regards,


Jamie Morrison.

-----Original Message-----
From: linux-nfs-owner@xxxxxxxxxxxxxxx [mailto:linux-nfs-owner@xxxxxxxxxxxxxxx] On Behalf Of Jamie S. Morrison
Sent: Monday, 17 October 2011 4:05 PM
To: linux-nfs@xxxxxxxxxxxxxxx
Subject: idmapd not mapping realm to domain and not resolving gid

Hi,

I have an issue where the /etc/krb5.conf [libdefaults] default_realm does not seem to be mapped successfully by rpc.idmapd. When I change the idmapd.conf [General] Domain to be the same as the kerberos realm (uppercase
domain) I can successfully map the uid, but never see the gid map to anything other than nobody. This is using NFS4, kerberos, pam_krb5, pam_ldap, nss-pam-ldapd, LDAPS with Active Directory 2008 R2 and NetApp storage. This is reproducible across a number of distributions including Red Hat Enterprise Linux 6.1, Fedora Core 14 & 15, Ubuntu 10.04.

In summary:

	rpc.idmapd: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' does not map into domain 'domain.com'

Option 1: Lowercase Domain

/etc/idmapd.conf
[General]
Domain = domain.com
Local-Realms = DOMAIN.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch

# rpc.idmapd -f -vvv
rpc.idmapd: libnfsidmap: using domain: domain.com
rpc.idmapd: libnfsidmap: Realms list: 'DOMAIN.COM' 
rpc.idmapd: libnfsidmap: processing 'Method' list
rpc.idmapd: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch
rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: New client: 12
rpc.idmapd: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt12/idmap
rpc.idmapd: New client: 13
rpc.idmapd: nss_getpwnam: name 'root@xxxxxxxxxx' does not map into domain 'domain.com'
rpc.idmapd: Client 12: (user) name "root@xxxxxxxxxx" -> id "99"
rpc.idmapd: New client: 14
rpc.idmapd: Client 12: (group) name "daemon@xxxxxxxxxx" -> id "99"
rpc.idmapd: Stale client: 13
rpc.idmapd: 	-> closed /var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap
rpc.idmapd: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' does not map into domain 'domain.com'
rpc.idmapd: Client 12: (user) name "jmorrison@xxxxxxxxxx" -> id "99"

ssh as domain user:
$ ls -al
total 96
drwx------. 21 nobody nobody 4096 Oct 17 13:01 .
drwx------.  3 nobody nobody 4096 Oct  6 08:59 ..
-rwx------.  1 nobody nobody  149 Oct 17 14:50 .bash_history drwx------.  3 nobody nobody 4096 Oct 17 09:41 .cache drwx------.  4 nobody nobody 4096 Oct 17 09:36 .config


Option 2: Uppercase domain (matching kerberos realm)

/etc/idmapd.conf
[General]
Domain = DOMAIN.COM
Local-Realms = DOMAIN.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch

# rpc.idmapd -f -vvv
rpc.idmapd: libnfsidmap: using domain: DOMAIN.COM
rpc.idmapd: libnfsidmap: Realms list: 'DOMAIN.COM' 
rpc.idmapd: libnfsidmap: processing 'Method' list
rpc.idmapd: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch
rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
rpc.idmapd: New client: 9
rpc.idmapd: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt9/idmap
rpc.idmapd: New client: a
rpc.idmapd: Client 9: (user) name "root@xxxxxxxxxx" -> id "0"
rpc.idmapd: Client 9: (group) name "nobody" -> id "99"
rpc.idmapd: New client: b
rpc.idmapd: Client 9: (group) name "daemon@xxxxxxxxxx" -> id "2"
rpc.idmapd: Stale client: a
rpc.idmapd: 	-> closed /var/lib/nfs/rpc_pipefs//nfs/clnta/idmap
rpc.idmapd: Client 9: (user) name "jmorrison@xxxxxxxxxx" -> id "20002"
^C

ssh as domain user:
$ ls -al
total 96
drwx------. 21 root      daemon 4096 Oct 17 13:01 .
drwx------.  3 root      daemon 4096 Oct  6 08:59 ..
-rwx------.  1 jmorrison nobody  149 Oct 17 14:50 .bash_history drwx------.  3 jmorrison nobody 4096 Oct 17 09:41 .cache drwx------.  4 jmorrison nobody 4096 Oct 17 09:36 .config


Other configuration

/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 allow_weak_crypto = true dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DOMAIN.COM = {
	kdc = domain.com
	admin_server = domain.com
	default_domain = DOMAIN.COM
}
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

/etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files
aliases:    files nisplus


LDAP lookups working

# getent passwd jmorrison
jmorrison:*:20002:10000:Jamie Morrison:/home/uniwa/autres/autresx/jmorrison:/bin/sh

# getent group All-Staff
All-Staff:*:10000:jmorrison

# id jmorrison
uid=20002(jmorrison) gid=10000(All-Staff) groups=10000(All-Staff),99008(jmorrisongroup),10002(All-Autres),99043

(All-Autresx)


/home/uniwa/autres mounted via autofs


Please let me know if there are any other details or config you require. Apologies if this is the wrong list for this.

Regards,


Jamie Morrison.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux