On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Ok thanks! I just tried it and that seems to do it! Just using the “example.com” domain
in the idmapd.conf file that is.
I’ll just need to modifying all of my clients idmapd config, which isn’t that big of
deal.
If you like, newer versions of ipa-client-automount have a new knob to
specify just that:
https://pagure.io/freeipa/issue/7918
Apologies for not seeing this thread earlier.
François
> Thanks for the help.
>
> -Kevin
>
> > On Oct 7, 2019, at 12:13 PM, Simo Sorce <simo(a)redhat.com> wrote:
> >
> > Hi Kevin,
> > comments inline.
> >
> >> On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote:
> >> Thanks.
> >>
> >> So the clients have different host names depending on where they are located
geographically.
> >>
> >> For example
> >>
> >> machines in CA have a FQDN of
client1.ca.example.com
> >>
> >> machines in NY have a FQDN of
client8.ny.example.com
> >>
> >> They both still belong to the same REALM of
EXAMPLE.COM.
> >
> > Good, REALM an domain should be the same in your case IMO.
> >
> > Subdomains are just an organizational tool for you, the actual
> > authentication/identity domain is the same as the REALM.
> >
> >> In their idmapd.conf file the
> >>
> >> # Domain = hostname.local
> >>
> >> is commented out, and by default it uses the hostnames domain as the value.
> >>
> >> So client1 Domain value by default would be set to
ca.example.com and
client8 would be set to
ny.example.com.
> >>
> >> Should I be listing both
ca.example.com AND
ny.example.com in their
idmapd.conf file?
> >
> > Don't think so
> >
> >> Based off what you are saying I should just be able to get away with listing
“Domain = example.com” which is the REALM?
> >
> > Yes, this is what you should do, IMO.
> >
> > Simo.
> >
> >>
> >> -Kevin
> >>
> >>>> On Oct 7, 2019, at 11:40 AM, Simo Sorce <simo(a)redhat.com>
wrote:
> >>>
> >>> Note I assume that by "domains" you mean just DNS domains not
separate
> >>> FreeIPA installs, if they are separate installs then it would be a lot
> >>> more complicated.
> >>>
> >>> Another way that you can handle auth sys is to configure the domain on
> >>> the server (as any of the domain strings you want) and then use the
> >>> same domain on all clients), that should make them work.
> >>>
> >>>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users
wrote:
> >>>> If you use krb5 authentication you should have no issues, are you
using
> >>>> auth=sys instead ?
> >>>>
> >>>>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users
wrote:
> >>>>> Hello,
> >>>>>
> >>>>> I’ve got FreeIPA setup where I have multiple domains for client
machines depending on their geography.
> >>>>>
> >>>>> For example,
ca.example.com, and
ny.example.com.
> >>>>>
> >>>>> I have a NFS server in
nfs-server.ny.example.com and users
mapping the NFS server on their clients from
ny.example.com and
ca.example.com. Users in
ny.example.com show files owner:group just fine but users in
ca.example.com everything on
the nfs server shows nobody:nogroup or nobody: 4294967294
> >>>>>
> >>>>> On the clients I’m seeing this issue on I see these error
messages in the log.
> >>>>>
> >>>>> Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name
‘user(a)ny.example.com' does not map into domain 'ca.example.com’
> >>>>>
> >>>>> I did some googling and people are saying to add the domain to
/etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how
this will work for all instances unless I can add multiple domains. I don’t see an obvious
way to add multiple domains.
> >>>>>
> >>>>> Is there a clean way to handle this?
> >>>>>
> >>>>> -Kevin
> >>>>> _______________________________________________
> >>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
> >>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> >>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>>
> >>>> --
> >>>> Simo Sorce
> >>>> RHEL Crypto Team
> >>>> Red Hat, Inc
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> >>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>
> >>> --
> >>> Simo Sorce
> >>> RHEL Crypto Team
> >>> Red Hat, Inc
> >>>
> >>>
> >>>
> >>>
> >
> > --
> > Simo Sorce
> > RHEL Crypto Team
> > Red Hat, Inc
> >
> >
> >
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...