Thanks for the heads up. I was just changing the config manually. I’ve kind of stayed away
from automount because i’ve had a lot of trouble wit it on Ubuntu boxes. Didn’t actually
realize it modifies the idmapd config.
No problem! I posted on Friday so I figured it might be a few days before someone even saw
this. Thanks for answering.
-Kevin
> On Oct 7, 2019, at 2:19 PM, François Cami <fcami(a)redhat.com> wrote:
>
> On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>> Ok thanks! I just tried it and that seems to do it! Just using the “example.com”
domain in the idmapd.conf file that is.
>>
>> I’ll just need to modifying all of my clients idmapd config, which isn’t that big
of deal.
>
> If you like, newer versions of ipa-client-automount have a new knob to
> specify just that:
>
https://pagure.io/freeipa/issue/7918
>
> Apologies for not seeing this thread earlier.
>
> François
>
>> Thanks for the help.
>>
>> -Kevin
>>
>>>> On Oct 7, 2019, at 12:13 PM, Simo Sorce <simo(a)redhat.com> wrote:
>>>
>>> Hi Kevin,
>>> comments inline.
>>>
>>>> On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote:
>>>> Thanks.
>>>>
>>>> So the clients have different host names depending on where they are
located geographically.
>>>>
>>>> For example
>>>>
>>>> machines in CA have a FQDN of
client1.ca.example.com
>>>>
>>>> machines in NY have a FQDN of
client8.ny.example.com
>>>>
>>>> They both still belong to the same REALM of
EXAMPLE.COM.
>>>
>>> Good, REALM an domain should be the same in your case IMO.
>>>
>>> Subdomains are just an organizational tool for you, the actual
>>> authentication/identity domain is the same as the REALM.
>>>
>>>> In their idmapd.conf file the
>>>>
>>>> # Domain = hostname.local
>>>>
>>>> is commented out, and by default it uses the hostnames domain as the
value.
>>>>
>>>> So client1 Domain value by default would be set to
ca.example.com and
client8 would be set to
ny.example.com.
>>>>
>>>> Should I be listing both
ca.example.com AND
ny.example.com in their
idmapd.conf file?
>>>
>>> Don't think so
>>>
>>>> Based off what you are saying I should just be able to get away with
listing “Domain = example.com” which is the REALM?
>>>
>>> Yes, this is what you should do, IMO.
>>>
>>> Simo.
>>>
>>>>
>>>> -Kevin
>>>>
>>>>>> On Oct 7, 2019, at 11:40 AM, Simo Sorce <simo(a)redhat.com>
wrote:
>>>>>
>>>>> Note I assume that by "domains" you mean just DNS domains
not separate
>>>>> FreeIPA installs, if they are separate installs then it would be a
lot
>>>>> more complicated.
>>>>>
>>>>> Another way that you can handle auth sys is to configure the domain
on
>>>>> the server (as any of the domain strings you want) and then use the
>>>>> same domain on all clients), that should make them work.
>>>>>
>>>>>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users
wrote:
>>>>>> If you use krb5 authentication you should have no issues, are you
using
>>>>>> auth=sys instead ?
>>>>>>
>>>>>>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via
FreeIPA-users wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I’ve got FreeIPA setup where I have multiple domains for
client machines depending on their geography.
>>>>>>>
>>>>>>> For example,
ca.example.com, and
ny.example.com.
>>>>>>>
>>>>>>> I have a NFS server in
nfs-server.ny.example.com and users
mapping the NFS server on their clients from
ny.example.com and
ca.example.com. Users in
ny.example.com show files owner:group just fine but users in
ca.example.com everything on
the nfs server shows nobody:nogroup or nobody: 4294967294
>>>>>>>
>>>>>>> On the clients I’m seeing this issue on I see these error
messages in the log.
>>>>>>>
>>>>>>> Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name
‘user(a)ny.example.com' does not map into domain 'ca.example.com’
>>>>>>>
>>>>>>> I did some googling and people are saying to add the domain
to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how
this will work for all instances unless I can add multiple domains. I don’t see an obvious
way to add multiple domains.
>>>>>>>
>>>>>>> Is there a clean way to handle this?
>>>>>>>
>>>>>>> -Kevin
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>
>>>>>> --
>>>>>> Simo Sorce
>>>>>> RHEL Crypto Team
>>>>>> Red Hat, Inc
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>
>>>>> --
>>>>> Simo Sorce
>>>>> RHEL Crypto Team
>>>>> Red Hat, Inc
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> Simo Sorce
>>> RHEL Crypto Team
>>> Red Hat, Inc
>>>
>>>
>>>
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...