Hi, For me configuring idmapd in cross realm with SSSD and NFSv4 is challenging; Idmapd.conf manual says: An NFSv4 domain is a namespace with a unique uid<->username, gid<->usergroupname; Domain defaults to machine's domainname.
Using Method = nsswitch, I expect that idmapd request to sssd-nss would be used for mapping.
If sssd can resolve login names as short names, unique in cross realm , feks. sAMAccountName names - mapping works; In that case , Domain can be anything - it is stripped off;
If login names are resolved as fqdn in cross realm, mapping doesn’t work if computer's domain differs from user's domain. Kerberized nfs homedir is mounted but mapping to nobody/nogroup blocks user from login.
In my case NFS client machines and NFSv4 server are in the same domain; Users are from different domains. Longina
-----Oprindelig meddelelse----- Fra: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] På vegne af Ondrej Valousek Sendt: 20. oktober 2015 16:14 Til: End-user discussions about the System Security Services Daemon Emne: Re: [SSSD-users] SSSD & AD & Kerberized nfs
Will add this to my document, thanks. I have heard about this issue - but how many is "many groups"? I have user here with 32 groups - I do not experience any problems. O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 20 October 2015 15:07 To: End-user discussions about the System Security Services Daemon <sssd- users@lists.fedorahosted.org> Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here: https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-
with-
sssd-and-active-directory/
For people hosting NFS/krb5 on EL6, there certainly used to be problems if you had PAC enabled on the server for users who were members of many groups.
The solution is to disable PAC for services on that host via userAccountControl.
userAccountControl: 33624064
That then causes fun, as Samba on EL6 can't cope with PAC being disabled. Cue fun with running two AD objects per server, and merging of keytabs such that you can have PAC on Samba and not on NFS.
userAccountControl: 69632
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users