The final resolution was the following on the NetApp: options ldap.nssmap.attribute.groupname cn Thank you everyone for your assistance.... -----Original Message----- From: linux-nfs-owner@xxxxxxxxxxxxxxx [mailto:linux-nfs-owner@xxxxxxxxxxxxxxx] On Behalf Of Jamie S. Morrison Sent: Wednesday, 19 October 2011 4:41 PM To: linux-nfs@xxxxxxxxxxxxxxx Subject: RE: idmapd not mapping realm to domain and not resolving gid One step further... the NetApp options nfs.v4.id.domain had been entered in uppercase. Then although gssd gets the right uid, idmapd calls nss_getpwnam twice and fails to get the correct uid Oct 19 15:08:04 rhel61 rpc.idmapd[1595]: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' domain 'domain.com': resulting localname 'jmorrison' Oct 19 15:08:04 rhel61 rpc.idmapd[1595]: nss_getpwnam: name 'jmorrison' not found in domain 'domain.com' This was resolved via the following setting in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500778 /etc/idmapd.conf [General] Cache-Expiration = 10 Now I'm just left with the gid not resolving: Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nfs4_name_to_uid: calling nsswitch->name_to_uid Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' domain 'domain.com': resulting localname 'jmorrison' Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: nfs4_name_to_uid: final return value is 0 Oct 19 15:44:27 rhel61 rpc.idmapd[2306]: Client 0: (user) name "jmorrison@xxxxxxxxxx" -> id "20002" Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_uid_to_name: calling nsswitch->uid_to_name Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_uid_to_name: final return value is 0 Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: Client 0: (user) id "20002" -> name "jmorrison@xxxxxxxxxx" Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_gid_to_name: calling nsswitch->gid_to_name Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: nfs4_gid_to_name: final return value is 0 Oct 19 15:45:43 rhel61 rpc.idmapd[2306]: Client 0: (group) id "99" -> name "nobody@xxxxxxxxxx" $ ls -l total 32 drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Desktop drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Documents drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Downloads drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Music drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Pictures drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Public drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Templates drwx------. 2 jmorrison nobody 4096 Oct 19 16:09 Videos ... Any help appreciated. Regards, Jamie Morrison. -----Original Message----- From: linux-nfs-owner@xxxxxxxxxxxxxxx [mailto:linux-nfs-owner@xxxxxxxxxxxxxxx] On Behalf Of Jamie S. Morrison Sent: Monday, 17 October 2011 4:05 PM To: linux-nfs@xxxxxxxxxxxxxxx Subject: idmapd not mapping realm to domain and not resolving gid Hi, I have an issue where the /etc/krb5.conf [libdefaults] default_realm does not seem to be mapped successfully by rpc.idmapd. When I change the idmapd.conf [General] Domain to be the same as the kerberos realm (uppercase domain) I can successfully map the uid, but never see the gid map to anything other than nobody. This is using NFS4, kerberos, pam_krb5, pam_ldap, nss-pam-ldapd, LDAPS with Active Directory 2008 R2 and NetApp storage. This is reproducible across a number of distributions including Red Hat Enterprise Linux 6.1, Fedora Core 14 & 15, Ubuntu 10.04. In summary: rpc.idmapd: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' does not map into domain 'domain.com' Option 1: Lowercase Domain /etc/idmapd.conf [General] Domain = domain.com Local-Realms = DOMAIN.COM [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch # rpc.idmapd -f -vvv rpc.idmapd: libnfsidmap: using domain: domain.com rpc.idmapd: libnfsidmap: Realms list: 'DOMAIN.COM' rpc.idmapd: libnfsidmap: processing 'Method' list rpc.idmapd: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch rpc.idmapd: Expiration time is 600 seconds. rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel rpc.idmapd: New client: 12 rpc.idmapd: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt12/idmap rpc.idmapd: New client: 13 rpc.idmapd: nss_getpwnam: name 'root@xxxxxxxxxx' does not map into domain 'domain.com' rpc.idmapd: Client 12: (user) name "root@xxxxxxxxxx" -> id "99" rpc.idmapd: New client: 14 rpc.idmapd: Client 12: (group) name "daemon@xxxxxxxxxx" -> id "99" rpc.idmapd: Stale client: 13 rpc.idmapd: -> closed /var/lib/nfs/rpc_pipefs//nfs/clnt13/idmap rpc.idmapd: nss_getpwnam: name 'jmorrison@xxxxxxxxxx' does not map into domain 'domain.com' rpc.idmapd: Client 12: (user) name "jmorrison@xxxxxxxxxx" -> id "99" ssh as domain user: $ ls -al total 96 drwx------. 21 nobody nobody 4096 Oct 17 13:01 . drwx------. 3 nobody nobody 4096 Oct 6 08:59 .. -rwx------. 1 nobody nobody 149 Oct 17 14:50 .bash_history drwx------. 3 nobody nobody 4096 Oct 17 09:41 .cache drwx------. 4 nobody nobody 4096 Oct 17 09:36 .config Option 2: Uppercase domain (matching kerberos realm) /etc/idmapd.conf [General] Domain = DOMAIN.COM Local-Realms = DOMAIN.COM [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch # rpc.idmapd -f -vvv rpc.idmapd: libnfsidmap: using domain: DOMAIN.COM rpc.idmapd: libnfsidmap: Realms list: 'DOMAIN.COM' rpc.idmapd: libnfsidmap: processing 'Method' list rpc.idmapd: libnfsidmap: loaded plugin /usr/lib64/libnfsidmap/nsswitch.so for method nsswitch rpc.idmapd: Expiration time is 600 seconds. rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel rpc.idmapd: New client: 9 rpc.idmapd: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt9/idmap rpc.idmapd: New client: a rpc.idmapd: Client 9: (user) name "root@xxxxxxxxxx" -> id "0" rpc.idmapd: Client 9: (group) name "nobody" -> id "99" rpc.idmapd: New client: b rpc.idmapd: Client 9: (group) name "daemon@xxxxxxxxxx" -> id "2" rpc.idmapd: Stale client: a rpc.idmapd: -> closed /var/lib/nfs/rpc_pipefs//nfs/clnta/idmap rpc.idmapd: Client 9: (user) name "jmorrison@xxxxxxxxxx" -> id "20002" ^C ssh as domain user: $ ls -al total 96 drwx------. 21 root daemon 4096 Oct 17 13:01 . drwx------. 3 root daemon 4096 Oct 6 08:59 .. -rwx------. 1 jmorrison nobody 149 Oct 17 14:50 .bash_history drwx------. 3 jmorrison nobody 4096 Oct 17 09:41 .cache drwx------. 4 jmorrison nobody 4096 Oct 17 09:36 .config Other configuration /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 allow_weak_crypto = true dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DOMAIN.COM = { kdc = domain.com admin_server = domain.com default_domain = DOMAIN.COM } [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files aliases: files nisplus LDAP lookups working # getent passwd jmorrison jmorrison:*:20002:10000:Jamie Morrison:/home/uniwa/autres/autresx/jmorrison:/bin/sh # getent group All-Staff All-Staff:*:10000:jmorrison # id jmorrison uid=20002(jmorrison) gid=10000(All-Staff) groups=10000(All-Staff),99008(jmorrisongroup),10002(All-Autres),99043 (All-Autresx) /home/uniwa/autres mounted via autofs Please let me know if there are any other details or config you require. Apologies if this is the wrong list for this. Regards, Jamie Morrison. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
