[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS

On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; wrote: If you like, newer versions of ipa-client-automount have a new knob to specify just that: https://pagure.io/freeipa/issue/7918 Apologies for not seeing this thread earlier. François > Thanks for the help. > > -Kevin > > > On Oct 7, 2019, at 12:13 PM, Simo Sorce <simo(a)redhat.com&gt; wrote: > > > > Hi Kevin, > > comments inline. > > > >> On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: > >> Thanks. > >> > >> So the clients have different host names depending on where they are located geographically. > >> > >> For example > >> > >> machines in CA have a FQDN of client1.ca.example.com > >> > >> machines in NY have a FQDN of client8.ny.example.com > >> > >> They both still belong to the same REALM of EXAMPLE.COM. > > > > Good, REALM an domain should be the same in your case IMO. > > > > Subdomains are just an organizational tool for you, the actual > > authentication/identity domain is the same as the REALM. > > > >> In their idmapd.conf file the > >> > >> # Domain = hostname.local > >> > >> is commented out, and by default it uses the hostnames domain as the value. > >> > >> So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com. > >> > >> Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file? > > > > Don't think so > > > >> Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM? > > > > Yes, this is what you should do, IMO. > > > > Simo. > > > >> > >> -Kevin > >> > >>>> On Oct 7, 2019, at 11:40 AM, Simo Sorce <simo(a)redhat.com&gt; wrote: > >>> > >>> Note I assume that by "domains" you mean just DNS domains not separate > >>> FreeIPA installs, if they are separate installs then it would be a lot > >>> more complicated. > >>> > >>> Another way that you can handle auth sys is to configure the domain on > >>> the server (as any of the domain strings you want) and then use the > >>> same domain on all clients), that should make them work. > >>> > >>>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: > >>>> If you use krb5 authentication you should have no issues, are you using > >>>> auth=sys instead ? > >>>> > >>>>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > >>>>> Hello, > >>>>> > >>>>> I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography. > >>>>> > >>>>> For example, ca.example.com, and ny.example.com. > >>>>> > >>>>> I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294 > >>>>> > >>>>> On the clients I’m seeing this issue on I see these error messages in the log. > >>>>> > >>>>> Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user(a)ny.example.com&#39; does not map into domain 'ca.example.com’ > >>>>> > >>>>> I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains. > >>>>> > >>>>> Is there a clean way to handle this? > >>>>> > >>>>> -Kevin > >>>>> _______________________________________________ > >>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > >>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > >>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > >>>> > >>>> -- > >>>> Simo Sorce > >>>> RHEL Crypto Team > >>>> Red Hat, Inc > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > >>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > >>> > >>> -- > >>> Simo Sorce > >>> RHEL Crypto Team > >>> Red Hat, Inc > >>> > >>> > >>> > >>> > > > > -- > > Simo Sorce > > RHEL Crypto Team > > Red Hat, Inc > > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...