On 3/12/2018 11:25 AM, Rob Crittenden wrote:
> TomK wrote:
>> On 3/7/2018 1:11 PM, Rob Crittenden wrote:
>> Hey Rob,
>>
>> When starting idmapd or stopping it, logs on the LDAP server don't
>> change. But UID and GID's change to nfsnobody when I set Nobody-User
>> and Nobody-Group to nfsnobody in /etc/idmapd.conf .
>
> I don't know that merely restarting the service is going to spark
> queries against LDAP. You'd probably need to do something to provoke
> that (like doing an ls).
Nothing. Once at restart of the host do I see something from ls but on
second execution of ls or any type of directory interaction, nothing
happens. Then it repeats randomly.
Can you expand on this? What are you seeing on the client side? What
queries do you see in LDAP related to the request (any?) Remember that
the 389-ds access log is buffered so it can take up to 30 seconds for
the logs to update.
rob
>
>> [General]
>> Verbosity = 9
>> Domain = nix.my.dom
>> [Mapping]
>> Nobody-User = nfsnobody
>> Nobody-Group = nfsnobody
>> [Translation]
>> [Static]
>> [UMICH_SCHEMA]
>> LDAP_server = idmipa01.nix.my.dom
>> LDAP_base = cn=accounts,DC=NIX,DC=MY,DC=DOM
>> LDAP_people_base = DC=NIX,DC=MY,DC=DOM
>> LDAP_group_base = DC=NIX,DC=MY,DC=DOM
>
> The people basedn should probably be cn=users,cn=accounts,... and the
> group base cn=groups,cn=accounts,... Unles it cleverly smashes that
> together with LDAP_base, I'm not sure what it does. The 389-ds access
> logs will tell you if it is trying at all (note the logs are
> write-buffered so you won't see immediate updates).
>
> If you have compat enabled then idmapd may be getting multiple entries,
> one from cn=compat and one from the main tree and that could be
> confusing it.
No difference. Even the IP defined users are having this issue.
However, and this may be a very dumb question, but you raised 389-ds
logs. I'm using IPA Server, not 389-ds unless you're implying I may
need packages? The IPA servers come with 389-ds-base installed but do I
need this or something else on the IPA clients as well?
In the existing IPA logs, no other log entries corrolate with the
nfsidmapd messages on the client.
Method = umich_ldap,nsswitch,static
GSS-Methods = umich_ldap,nsswitch,static
However it still lists:
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
user_dn : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
passwd : <not-supplied>
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
use_ssl : no
Mar 15 01:15:56 ipaclient01 rpc.idmapd: rpc.idmapd: umichldap_init:
ca_cert : <not-supplied>
and I'm not sure what variables idmapd.conf uses for password and user.
Still, I've left the LAB KDC open so no users and passes are needed for
simple lookups.
After setting the above, the messages in the logs changed slightly:
Mar 15 01:29:24 ipaclient01 systemd-logind: New session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 systemd: Started Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 systemd: Starting Session 5 of user tomk.
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' domain 'nix.my.dom': resulting localname
'(null)'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'tomk@localdomain' does not map into domain 'nix.my.dom'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
umich_ldap->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
umich_ldap->name_to_uid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nss_getpwnam: name
'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting localname
'nobody'
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: nfs4_name_to_uid: final
return value is 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: key: 0x1917bd86 type: gid
value: tomk@localdomain timeout 600
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is -22
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
umich_ldap->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: ldap_init_and_bind: version
mismatch between API information and protocol version. Setting protocol
version to 3
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
umich_ldap->name_to_gid returned -2
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Mar 15 01:29:24 ipaclient01 nfsidmap[1855]: nfs4_name_to_gid: final
return value is 0
(Port 389 between client and server are open.) Seems like the line:
Mar 15 01:29:24 ipaclient01 nfsidmap[1853]: key: 0x62dd191 type: uid
value: tomk@localdomain timeout 600
might be to blame. It's the first line that shows localdomain, but it
should not. My hosts file:
[root@ipaclient01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.0.236 ipaclient01.nix.my.dom ipaclient01
[root@ipaclient01 ~]#
Guessing key get's it's info from /etc/hosts directly and I should look
at that?
Cheers,
Tom
>
> rob
>
>>
>> Cheers,
>> Tom
>>
>>> TomK via FreeIPA-users wrote:
>>>> Hey Guy's,
>>>>
>>>> Getting below message which in turn fails to list proper UID / GID on
>>>> NFSv4 mounts from within an unprivileged account. All files show up
>>>> with
>>>> owner and group as nobody / nobody when viewed from the client.
>>>>
>>>> Is there a way to structure /etc/idmapd.conf to allow for proper UID /
>>>> GID resolution? Or perhaps another solution?
>>>>
>>>>
>>>> [root@client01 etc]# cat /etc/idmapd.conf|grep -v "#"| sed -e
"/^$/d"
>>>> [General]
>>>> Verbosity = 7
>>>> Domain = nix.my.dom
>>>> [Mapping]
>>>> [Translation]
>>>> [Static]
>>>> [UMICH_SCHEMA]
>>>> LDAP_server =
ldap-server.local.domain.edu
>>>> LDAP_base = dc=local,dc=domain,dc=edu
>>>> [root@client01 etc]#
>>>>
>>>> Mount looks like this:
>>>>
>>>> nfs-c01.nix.my.dom:/n/my.dom on /n/my.dom type nfs4
>>>>
(rw,relatime,vers=4.0,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp,port=0,timeo=10,retrans=2,sec=sys,clientaddr=192.168.0.236,local_lock=none,addr=192.168.0.80)
>>>>
>>>>
>>>>
>>>>
>>>> /var/log/messages
>>>>
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: key: 0x3f2c257b type: uid
>>>> value: tom@my.dom(a)localdomain timeout 600
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling
>>>> nsswitch->name_to_uid
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
>>>> 'tom@my.dom(a)localdomain' domain 'nix.my.dom': resulting
localname
>>>> '(null)'
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
>>>> 'tom@my.dom(a)localdomain' does not map into domain
'nix.my.dom'
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
>>>> nsswitch->name_to_uid returned -22
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final
>>>> return
>>>> value is -22
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: calling
>>>> nsswitch->name_to_uid
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nss_getpwnam: name
>>>> 'nobody(a)nix.my.dom' domain 'nix.my.dom': resulting
localname 'nobody'
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid:
>>>> nsswitch->name_to_uid returned 0
>>>> Mar 6 00:17:27 client01 nfsidmap[14396]: nfs4_name_to_uid: final
>>>> return
>>>> value is 0
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: key: 0x324b0048 type: gid
>>>> value: tom@my.dom(a)localdomain timeout 600
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling
>>>> nsswitch->name_to_gid
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
>>>> nsswitch->name_to_gid returned -22
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final
>>>> return
>>>> value is -22
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: calling
>>>> nsswitch->name_to_gid
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid:
>>>> nsswitch->name_to_gid returned 0
>>>> Mar 6 00:17:27 client01 nfsidmap[14398]: nfs4_name_to_gid: final
>>>> return
>>>> value is 0
>>>> Mar 6 00:17:31 client01 systemd-logind: Removed session 23.
>>>>
>>>>
>>>>
>>>>
>>>> Result of:
>>>>
>>>> systemctl restart rpcidmapd
>>>>
>>>> /var/log/messages
>>>> -------------------
>>>> Mar 5 23:46:12 client01 systemd: Stopping Automounts filesystems on
>>>> demand...
>>>> Mar 5 23:46:13 client01 systemd: Stopped Automounts filesystems on
>>>> demand.
>>>> Mar 5 23:48:51 client01 systemd: Stopping NFSv4 ID-name mapping
>>>> service...
>>>> Mar 5 23:48:51 client01 systemd: Starting Preprocess NFS
>>>> configuration...
>>>> Mar 5 23:48:51 client01 systemd: Started Preprocess NFS
>>>> configuration.
>>>> Mar 5 23:48:51 client01 systemd: Starting NFSv4 ID-name mapping
>>>> service...
>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: using domain:
>>>> nix.my.dom
>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: Realms list:
>>>> 'NIX.MY.DOM'
>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: using
>>>> domain: nix.my.dom
>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: Realms
>>>> list: 'NIX.MY.DOM'
>>>> Mar 5 23:48:51 client01 rpc.idmapd: rpc.idmapd: libnfsidmap: loaded
>>>> plugin /lib64/libnfsidmap/nsswitch.so for method nsswitch
>>>> Mar 5 23:48:51 client01 rpc.idmapd[14117]: libnfsidmap: loaded plugin
>>>> /lib64/libnfsidmap/nsswitch.so for method nsswitch
>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Expiration time is 600
>>>> seconds.
>>>> Mar 5 23:48:51 client01 systemd: Started NFSv4 ID-name mapping
>>>> service.
>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
>>>> /proc/net/rpc/nfs4.nametoid/channel
>>>> Mar 5 23:48:51 client01 rpc.idmapd[14118]: Opened
>>>> /proc/net/rpc/nfs4.idtoname/channel
>>>>
>>>
>>> You might be able to correlate that to the 389-ds access log to see
>>> what
>>> queries are being executed.
>>>
>>> You probably need to set LDAP_people_base and LDAP_group_base as well.
>>>
>>> I think ipa-client-automount only sets the Domain value and doesn't
>>> configure the ldap section at all.
>>>
>>> rob
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>
>>
>>
>