TomK wrote:
> On 3/15/2018 11:06 AM, Rob Crittenden wrote:
>> TomK wrote:
>>> On 3/12/2018 11:25 AM, Rob Crittenden wrote:
>>>> TomK wrote:
>>>>> On 3/7/2018 1:11 PM, Rob Crittenden wrote:
>>>>> Hey Rob,
>>>>>
>>>>> When starting idmapd or stopping it, logs on the LDAP server
don't
>>>>> change. But UID and GID's change to nfsnobody when I set
Nobody-User
>>>>> and Nobody-Group to nfsnobody in /etc/idmapd.conf .
>>>>
>>>> I don't know that merely restarting the service is going to spark
>>>> queries against LDAP. You'd probably need to do something to provoke
>>>> that (like doing an ls).
>>> Nothing. Once at restart of the host do I see something from ls but on
>>> second execution of ls or any type of directory interaction, nothing
>>> happens. Then it repeats randomly.
>>
>> Can you expand on this? What are you seeing on the client side? What
>> queries do you see in LDAP related to the request (any?) Remember that
>> the 389-ds access log is buffered so it can take up to 30 seconds for
>> the logs to update.
>>
>> rob
>>
>
> Got it. Here is the 389-ds log at the same time as the client prints
> these nfsidmap messages:
>
> [ CLIENT ]
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: key: 0x3b3559c4 type: uid
> value: tom@my.dom(a)localdomain timeout 600
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
> umich_ldap->name_to_uid
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version
> mismatch between API information and protocol version. Setting protocol
> version to 3
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
> umich_ldap->name_to_uid returned -2
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
> nsswitch->name_to_uid
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
> 'tom@my.dom(a)localdomain' domain 'nix.my.dom': resulting localname
'(null)'
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
> 'tom@my.dom(a)localdomain' does not map into domain 'nix.my.dom'
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
> nsswitch->name_to_uid returned -22
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final
> return value is -22
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
> umich_ldap->name_to_uid
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: ldap_init_and_bind: version
> mismatch between API information and protocol version. Setting protocol
> version to 3
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
> umich_ldap->name_to_uid returned -2
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: calling
> nsswitch->name_to_uid
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nss_getpwnam: name
> 'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting localname
'nobody'
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid:
> nsswitch->name_to_uid returned 0
> Mar 15 23:13:06 ipaclient01 nfsidmap[4999]: nfs4_name_to_uid: final
> return value is 0
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: key: 0x3140cc17 type: gid
> value: tom@my.dom(a)localdomain timeout 600
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
> umich_ldap->name_to_gid
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version
> mismatch between API information and protocol version. Setting protocol
> version to 3
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
> umich_ldap->name_to_gid returned -2
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
> nsswitch->name_to_gid
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
> nsswitch->name_to_gid returned -22
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final
> return value is -22
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
> umich_ldap->name_to_gid
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: ldap_init_and_bind: version
> mismatch between API information and protocol version. Setting protocol
> version to 3
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
> umich_ldap->name_to_gid returned -2
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: calling
> nsswitch->name_to_gid
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid:
> nsswitch->name_to_gid returned 0
> Mar 15 23:13:06 ipaclient01 nfsidmap[5001]: nfs4_name_to_gid: final
> return value is 0
>
>
>
>
>
> [ IPA MASTER ]
> [15/Mar/2018:23:13:06.528045064 -0400] conn=69197 fd=260 slot=260
> connection from 192.168.0.236 to 192.168.0.44
> [15/Mar/2018:23:13:06.528983720 -0400] conn=69197 op=0 SRCH
> base="DC=NIX,DC=MY,DC=DOM" scope=2
>
filter="(&(objectClass=NFSv4RemotePerson)(nfsv4name=tom@my.dom(a)localdomain))"
> attrs="uidNumber gidNumber"
> [15/Mar/2018:23:13:06.529512979 -0400] conn=69197 op=0 RESULT err=0
> tag=101 nentries=0 etime=0
> [15/Mar/2018:23:13:06.529825586 -0400] conn=69197 op=1 UNBIND
> [15/Mar/2018:23:13:06.529853432 -0400] conn=69197 op=1 fd=260 closed - U1
> [15/Mar/2018:23:13:06.531031559 -0400] conn=69198 fd=263 slot=263
> connection from 192.168.0.236 to 192.168.0.44
> [15/Mar/2018:23:13:06.531453140 -0400] conn=69198 op=0 SRCH
> base="DC=NIX,DC=MY,DC=DOM" scope=2
>
filter="(&(objectClass=NFSv4RemotePerson)(nfsv4name=nobody(a)nix.my.dom))"
> attrs="uidNumber gidNumber"
> [15/Mar/2018:23:13:06.531856184 -0400] conn=69198 op=0 RESULT err=0
> tag=101 nentries=0 etime=0
> [15/Mar/2018:23:13:06.532153498 -0400] conn=69198 op=1 UNBIND
> [15/Mar/2018:23:13:06.532179628 -0400] conn=69198 op=1 fd=263 closed - U1
> [15/Mar/2018:23:13:06.546316517 -0400] conn=69199 fd=264 slot=264
> connection from 192.168.0.236 to 192.168.0.44
> [15/Mar/2018:23:13:06.546763006 -0400] conn=69199 op=0 SRCH
> base="DC=NIX,DC=MY,DC=DOM" scope=2
>
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=tom@my.dom(a)localdomain))"
> attrs="uidNumber gidNumber"
> [15/Mar/2018:23:13:06.547118926 -0400] conn=69199 op=0 RESULT err=0
> tag=101 nentries=0 etime=0
Ok I have zero experience with nfsidmap over LDAP but a few observations:
- Your search base is wrong. For users it should
cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
- It is searching on a non-existent objectclass From what I can tell you
need to set
NFSv4_person_objectclass=posixaccount
NFSv4_name_attr=uid
An alternate thing to try is to set Method=sss instead of umich_ldap and
see if that helps.
rob
Thanks Rob. But unfortunately none of those did the trick.
[General]
Verbosity = 9
Local-Realms = NIX.MY.DOM,MY.DOM
Domain = nix.my.dom
[Mapping]
[Translation]
Method = sss,umich_ldap,nsswitch,static
GSS-Methods = sss,umich_ldap,nsswitch,static
[Static]
[UMICH_SCHEMA]
LDAP_server = idmipa01.nix.my.dom
LDAP_base = cn=users,cn=accounts,DC=NIX,DC=MY,DC=DOM
LDAP_people_base = DC=NIX,DC=MY,DC=DOM
LDAP_group_base = DC=NIX,DC=MY,DC=DOM
NFSv4_person_objectclass = posixaccount
NFSv4_name_attr = uid
Well the weekend's here though so maybe I can spend a little more time
focusing on this and finally get it solved. The tip to use sss as the
Method was great and I aslo added it to the GSS-Methods as well but no
luck. The fact that localdomain even appears in the logs bothers me. I
don't think it should given the Domain is set correctly in the
/etc/idmapd.conf file.
> [15/Mar/2018:23:13:06.547419820 -0400] conn=69199 op=1 UNBIND
> [15/Mar/2018:23:13:06.547446724 -0400] conn=69199 op=1 fd=264 closed - U1
> [15/Mar/2018:23:13:06.550193388 -0400] conn=69200 fd=265 slot=265
> connection from 192.168.0.236 to 192.168.0.44
> [15/Mar/2018:23:13:06.550580770 -0400] conn=69200 op=0 SRCH
> base="DC=NIX,DC=MY,DC=DOM" scope=2
>
filter="(&(objectClass=NFSv4RemoteGroup)(nfsv4name=nobody(a)nix.my.dom))"
> attrs="uidNumber gidNumber"
> [15/Mar/2018:23:13:06.550933518 -0400] conn=69200 op=0 RESULT err=0
> tag=101 nentries=0 etime=0
> [15/Mar/2018:23:13:06.551220517 -0400] conn=69200 op=1 UNBIND
> [15/Mar/2018:23:13:06.551284941 -0400] conn=69200 op=1 fd=265 closed - U1
> [15/Mar/2018:23:13:06.580266816 -0400] conn=69191 op=8 SRCH
> base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
> scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL
> [15/Mar/2018:23:13:06.580664050 -0400] conn=69191 op=8 RESULT err=0
> tag=101 nentries=0 etime=0
> [15/Mar/2018:23:13:06.581138601 -0400] conn=69191 op=9 EXT
> oid="2.16.840.1.113730.3.8.10.4.1" name="IPA trusted domain ID
mapper"
> [15/Mar/2018:23:13:06.585652291 -0400] conn=69180 op=5 SRCH
> base="cn=Default Trust View,cn=views,cn=accounts,dc=nix,dc=my,dc=dom"
> scope=2 filter="(&(objectClass=ipaUserOverride)(uid=tom))" attrs=ALL
> [15/Mar/2018:23:13:06.585897291 -0400] conn=69180 op=5 RESULT err=0
> tag=101 nentries=0 etime=0
> [15/Mar/2018:23:13:06.610226668 -0400] conn=9 op=99467 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my.dom@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my.dom@NIX.MY.DOM)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.611043926 -0400] conn=9 op=99467 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.611343977 -0400] conn=9 op=99468 SRCH
> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Mar/2018:23:13:06.611511419 -0400] conn=9 op=99468 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.611781846 -0400] conn=9 op=99469 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NIX.MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/NIX.MY.DOM@NIX.MY.DOM)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.612369061 -0400] conn=9 op=99469 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.612710359 -0400] conn=9 op=99470 SRCH
> base="cn=Default Host Password
> Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
> filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
> krbPwdFailureCountInterval krbPwdLockoutDuration"
> [15/Mar/2018:23:13:06.612874801 -0400] conn=9 op=99470 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.614845128 -0400] conn=8 op=338424 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/idmipa01.nix.my.dom@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=host/idmipa01.nix.my.dom@NIX.MY.DOM)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.615299624 -0400] conn=8 op=338424 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.615585618 -0400] conn=8 op=338425 SRCH
> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Mar/2018:23:13:06.615741765 -0400] conn=8 op=338425 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.616016867 -0400] conn=8 op=338426 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NIX.MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/NIX.MY.DOM@NIX.MY.DOM)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.616474488 -0400] conn=8 op=338426 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.616734155 -0400] conn=8 op=338427 SRCH
> base="cn=Default Host Password
> Policy,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom" scope=0
> filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
> krbPwdFailureCountInterval krbPwdLockoutDuration"
> [15/Mar/2018:23:13:06.616891114 -0400] conn=8 op=338427 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.617275452 -0400] conn=8 op=338428 SRCH
>
base="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom"
> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
> ipaNTHomeDirectoryDrive"
> [15/Mar/2018:23:13:06.619766808 -0400] conn=8 op=338428 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.619940264 -0400] conn=8 op=338429 SRCH
> base="cn=idmipa01.nix.my.dom,cn=masters,cn=ipa,cn=etc,dc=nix,dc=my,dc=dom"
> scope=0 filter="(objectClass=*)" attrs=ALL
> [15/Mar/2018:23:13:06.620166400 -0400] conn=8 op=338429 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.620841171 -0400] conn=8 op=338430 MOD
> dn="fqdn=idmipa01.nix.my.dom,cn=computers,cn=accounts,dc=nix,dc=my,dc=dom"
> [15/Mar/2018:23:13:06.627304715 -0400] conn=8 op=338430 RESULT err=0
> tag=103 nentries=0 etime=0 csn=5aab36ca000000040000
> [15/Mar/2018:23:13:06.635192361 -0400] conn=9 op=99471 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/NIX.MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/NIX.MY.DOM@NIX.MY.DOM)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.635734053 -0400] conn=9 op=99471 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.636355108 -0400] conn=9 op=99472 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/MY.DOM@NIX.MY.DOM)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/MY.DOM@NIX.MY.DOM)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.636934738 -0400] conn=9 op=99472 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.637192683 -0400] conn=9 op=99473 SRCH
> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Mar/2018:23:13:06.637329793 -0400] conn=9 op=99473 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.637651311 -0400] conn=9 op=99474 SRCH
> base="dc=nix,dc=my,dc=dom" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/idmipa01.nix.my.dom(a)NIX.MY.DOM))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [15/Mar/2018:23:13:06.638056445 -0400] conn=9 op=99474 RESULT err=0
> tag=101 nentries=1 etime=0
> [15/Mar/2018:23:13:06.638324542 -0400] conn=9 op=99475 SRCH
> base="cn=NIX.MY.DOM,cn=kerberos,dc=nix,dc=my,dc=dom" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Mar/2018:23:13:06.638461582 -0400] conn=9 op=99475 RESULT err=0
> tag=101 nentries=1 etime=0
>
>
>
> Cheers,
> Tom
>
>>>>
>>>>> [General]
>>>>> Verbosity = 9
>>>>> Domain = nix.my.dom
>>>>> [Mapping]
>>>>> Nobody-User = nfsnobody
>>>>> Nobody-Group = nfsnobody
>>>>> [Translation]
>>>>> [Static]
>>>>> [UMICH_SCHEMA]
>>>>> LDAP_server = idmipa01.nix.my.dom
>>>>> LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM
>>>>> LDAP_people_base = DC=NIX,DC=MY,DC=DOM
>>>>> LDAP_group_base = DC=NIX,DC=MY,DC=DOM
>>>>
>>>> The people basedn should probably be cn=users,cn=accounts,... and the
>>>> group base cn=groups,cn=accounts,... Unles it cleverly smashes that
>>>> together with LDAP_base, I'm not sure what it does. The 389-ds
access
>>>> logs will tell you if it is trying at all (note the logs are
>>>> write-buffered so you won't see immediate updates).
>>>>
>>>> If you have compat enabled then idmapd may be getting multiple entries,
>>>> one from cn=compat and one from the main tree and that could be
>>>> confusing it.
>>> No difference. Even the IP defined users are having this issue.
>>>
>>> However, and this may be a very dumb question, but you raised 389-ds
>>> logs. I'm using IPA Server, not 389-ds unless you're implying I may
>>> need packages? The IPA servers come with 389-ds-base installed but do I
>>> need this or something else on the IPA clients as well?
>>>
>>> In the existing IPA logs, no other log entries corrolate with the
>>> nfsidmapd messages on the client.
>>>
>>> Method = umich_ldap,nsswitch,static
>>> GSS-Methods = umich_ldap,nsswitch,static
>>>
>>> However it still lists:
>>>
>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>> user_dn : <not-supplied>
>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>> passwd : <not-supplied>
>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>> use_ssl : no
>>> Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
>>> ca_cert : <not-supplied>
>>>
>>> and I'm not sure what variables idmapd.conf uses for password and user.
>>> Still, I've left the LAB KDC open so no users and passes are needed for
>>> simple lookups.
>>>
>>> After setting the above, the messages in the logs changed slightly:
>>>
>>> Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user tomk.
>>> Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk.
>>> Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk.
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
>>> value: tomk@localdomain timeout 600
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
>>> umich_ldap->name_to_uid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>> umich_ldap->name_to_uid returned -2
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
>>> nsswitch->name_to_uid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
>>> 'tomk@localdomain' domain 'nix.my.dom': resulting localname
'(null)'
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
>>> 'tomk@localdomain' does not map into domain 'nix.my.dom'
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>> nsswitch->name_to_uid returned -22
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
>>> return value is -22
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
>>> umich_ldap->name_to_uid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>> umich_ldap->name_to_uid returned -2
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
>>> nsswitch->name_to_uid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
>>> 'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting localname
'nobody'
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
>>> nsswitch->name_to_uid returned 0
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
>>> return value is 0
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid
>>> value: tomk@localdomain timeout 600
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
>>> umich_ldap->name_to_gid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>> umich_ldap->name_to_gid returned -2
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
>>> nsswitch->name_to_gid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>> nsswitch->name_to_gid returned -22
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
>>> return value is -22
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
>>> umich_ldap->name_to_gid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version
>>> mismatch between API information and protocol version. Setting protocol
>>> version to 3
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>> umich_ldap->name_to_gid returned -2
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
>>> nsswitch->name_to_gid
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
>>> nsswitch->name_to_gid returned 0
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
>>> return value is 0
>>>
>>> (Port 389 between client and server are open.) Seems like the line:
>>>
>>> Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
>>> value: tomk@localdomain timeout 600
>>>
>>> might be to blame. It's the first line that shows localdomain, but it
>>> should not. My hosts file:
>>>
>>> [root@ipaclient01 ~]# cat /etc/hosts
>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>> localhost4.localdomain4
>>> ::1 localhost localhost.localdomain localhost6
>>> localhost6.localdomain6
>>> 192.168.0.236 ipaclient01.nix.my.dom ipaclient01
>>> [root@ipaclient01 ~]#
>>>
>>> Guessing key get's it's info from /etc/hosts directly and I should
look
>>> at that?
>>>
>>> Cheers,
>>> Tom
>>>
>>>>
>>>> rob
>>>>
>>>>>
>>>>> Cheers,
>>>>> Tom
>>>>>
>>>>>> TomK via FreeIPA-users wrote:
>>>>>>> Hey Guy's,
>>>>>>>
>>>>>>> Getting below message which in turn fails to list proper UID
/
>>>>>>> GID on
>>>>>>> NFSv4 mounts from within an unprivileged account. All files
show up
>>>>>>> with
>>>>>>> owner and group as nobody / nobody when viewed from the
client.
>>>>>>>
>>>>>>> Is there a way to structure /etc/idmapd.conf to allow for
proper
>>>>>>> UID /
>>>>>>> GID resolution? Or perhaps another solution?
>>>>>>>
>>>>>>>
>>>>>>> [root@client01 etc]# cat /etc/idmapd.conf|grep -v
"#"| sed -e
>>>>>>> "/^$/d"
>>>>>>> [General]
>>>>>>> Verbosity = 7
>>>>>>> Domain = nix.my.dom
>>>>>>> [Mapping]
>>>>>>> [Translation]
>>>>>>> [Static]
>>>>>>> [UMICH_SCHEMA]
>>>>>>> LDAP_server =
ldap-server.local.domain.edu
>>>>>>> LDAP_base = dc=local,dc=domain,dc=edu
>>>>>>> [root@client01 etc]#
>>>>>>>
>>>>>>> Mount looks like this:
>>>>>>>
>>>>>>> nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
>>>>>>>
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /var/log/messages
>>>>>>>
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b
type: uid
>>>>>>> value: tom@my.dom(a)localdomain timeout 600
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
calling
>>>>>>> nsswitch->name_to_uid
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
>>>>>>> 'tom@my.dom(a)localdomain' domain 'nix.my.dom':
resulting localname
>>>>>>> '(null)'
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
>>>>>>> 'tom@my.dom(a)localdomain' does not map into domain
'nix.my.dom'
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
>>>>>>> nsswitch->name_to_uid returned -22
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
final
>>>>>>> return
>>>>>>> value is -22
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
calling
>>>>>>> nsswitch->name_to_uid
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
>>>>>>> 'nobody(a)nix.my.dom' domain 'nix.my.dom':
resulting localname
>>>>>>> 'nobody'
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
>>>>>>> nsswitch->name_to_uid returned 0
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
final
>>>>>>> return
>>>>>>> value is 0
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048
type: gid
>>>>>>> value: tom@my.dom(a)localdomain timeout 600
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
calling
>>>>>>> nsswitch->name_to_gid
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
>>>>>>> nsswitch->name_to_gid returned -22
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
final
>>>>>>> return
>>>>>>> value is -22
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
calling
>>>>>>> nsswitch->name_to_gid
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
>>>>>>> nsswitch->name_to_gid returned 0
>>>>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
final
>>>>>>> return
>>>>>>> value is 0
>>>>>>> Mar 6 00:17:31 client01 systemd-logind: Removed session 23.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Result of:
>>>>>>>
>>>>>>> systemctl restart rpcidmapd
>>>>>>>
>>>>>>> /var/log/messages
>>>>>>> -------------------
>>>>>>> Mar 5 23:46:12 client01 systemd: Stopping Automounts
filesystems on
>>>>>>> demand...
>>>>>>> Mar 5 23:46:13 client01 systemd: Stopped Automounts
filesystems on
>>>>>>> demand.
>>>>>>> Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name
mapping
>>>>>>> service...
>>>>>>> Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS
>>>>>>> configuration...
>>>>>>> Mar 5 23:48:51 client01 systemd: Started Preprocess NFS
>>>>>>> configuration.
>>>>>>> Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name
mapping
>>>>>>> service...
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap:
using
>>>>>>> domain:
>>>>>>> nix.my.dom
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap:
Realms
>>>>>>> list:
>>>>>>> 'NIX.MY.DOM'
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap:
using
>>>>>>> domain: nix.my.dom
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap:
Realms
>>>>>>> list: 'NIX.MY.DOM'
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap:
loaded
>>>>>>> plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap:
loaded
>>>>>>> plugin
>>>>>>> /lib64/libnfsidmap/nsswitch.so for method nsswitch
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time
is 600
>>>>>>> seconds.
>>>>>>> Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name
mapping
>>>>>>> service.
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
>>>>>>> /proc/net/rpc/nfs4.nametoid/channel
>>>>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
>>>>>>> /proc/net/rpc/nfs4.idtoname/channel
>>>>>>>
>>>>>>
>>>>>> You might be able to correlate that to the 389-ds access log to
see
>>>>>> what
>>>>>> queries are being executed.
>>>>>>
>>>>>> You probably need to set LDAP_people_base and LDAP_group_base as
>>>>>> well.
>>>>>>
>>>>>> I think ipa-client-automount only sets the Domain value and
doesn't
>>>>>> configure the ldap section at all.
>>>>>>
>>>>>> rob
>>>>>> _______________________________________________
>>>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to
>>>>>> sssd-users-leave(a)lists.fedorahosted.org
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.