Read the document carefully and try again :) IDmapper has a little to do with Kerberos. Care about the *gssd services - they handle Kerberos. RH-6.7 works nicely to me.
O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Beranek Sent: 20 October 2015 14:23 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On 20 October 2015 at 12:33, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with- sssd-and-active-directory/
Thanks for this, I've had another attempt to get an AD-sssd Linux client (CentOS 6.7) to connect to our Isilon cluster kerberized, but am not having much luck. When I try the mount I get:
mount.nfs: access denied by server while mounting .....
Upping idmapd verbosity to 9, I get the following: (here EXAMPLE.COM is our long domain name, where a user would be joebloggs@EXAMPLE.COM and AD.INT is the short domain name):
https://gist.github.com/jberanek/3c8a1a10704b6200dc1d
The only thing that doesn't quite fit from your guidance is that the FQDN used to access the Isilon is actually a load-balanced A record, where every time you lookup the name you get a different IP, with the different reverse lookup...
e.g..
nfs.siteb.isilon.example.com -> 10.20.30.34 -> pool-00-04.siteb.example.com
Any ideas?
Cheers,
John