I’ve run into an interesting problem that I’ve narrowed down to the interaction between rpcidmapd and sssd. My sssd.conf is using AD as it’s id provider. When the setting use_fully_qualified_names = True is enabled in sssd.conf, rpcidmapds append the domain name to user lookup requests. This results in having user lookup requests that include an extra @domain.name in them, for example: rpc.idmapd: Server : (group) id "1002200513" -> name "user@domain.com@domain.com” This results in users not being able to access folders that use any kind of group permissions because they are not recognized as being members. Also if a user creates a file, it is listed as being owned by nfsnobody since the user isn’t mapped to an ID correctly.
When I adjust sssd.conf to be use_fully_qualified_names = False, the lookup request looks right: rpc.idmapd: Server : (group) id "1002200513" -> name "user@domain.com” However, if I then mount the nfs share from a different machine, and use a domain account with a valid Kerberos ticket, I still get permission denied when trying to access files, presumably because even though rpcidmapd is displaying my name as “user@domain.com” the server is looking for the unqualified name “user” which still fails to match.
Has anyone else experienced this? I saw there was some effort at an sssd plugin for rpcidmapd, but that doesn’t seem complete yet. Is there a viable workaround so I can get kerberized nfs mounts up?
Isaiah Houston
On Thu, 17 Sep 2015, Isaiah Houston wrote:
Has anyone else experienced this? I saw there was some effort at an sssd plugin for rpcidmapd, but that doesn’t seem complete yet. Is there a viable workaround so I can get kerberized nfs mounts up?
Without use_fully_qualified_names, I've had no problems with krb5 NFSv4 and sssd.
Only thing I do to deal with >16 groups is this on the server:
/etc/sysconfig/nfs: RPCMOUNTDOPTS="--manage-gids"
We're running rpc.idmapd on the server, but not on the client.
jh
Yes, you¹re right, it works if I set use_fully_qualified_names to false on both the client and the server. I¹d really like to be able to use fully qualified names however.
Isaiah
On 9/17/15, 11:37 AM, "John Hodrien" J.H.Hodrien@leeds.ac.uk wrote:
On Thu, 17 Sep 2015, Isaiah Houston wrote:
Has anyone else experienced this? I saw there was some effort at an sssd plugin for rpcidmapd, but that doesn¹t seem complete yet. Is there a viable workaround so I can get kerberized nfs mounts up?
Without use_fully_qualified_names, I've had no problems with krb5 NFSv4 and sssd.
Only thing I do to deal with >16 groups is this on the server:
/etc/sysconfig/nfs: RPCMOUNTDOPTS="--manage-gids"
We're running rpc.idmapd on the server, but not on the client.
jh
Hold on, You should not have problems with >16 groups when using NFS & Krb auth, right? Only system authentication is affected by this limitation.
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 17 September 2015 17:38 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] kerberized nfs4 with sssd id mapping
On Thu, 17 Sep 2015, Isaiah Houston wrote:
Has anyone else experienced this? I saw there was some effort at an sssd plugin for rpcidmapd, but that doesn't seem complete yet. Is there a viable workaround so I can get kerberized nfs mounts up?
Without use_fully_qualified_names, I've had no problems with krb5 NFSv4 and sssd.
Only thing I do to deal with >16 groups is this on the server:
/etc/sysconfig/nfs: RPCMOUNTDOPTS="--manage-gids"
We're running rpc.idmapd on the server, but not on the client.
jh -----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Hold on, You should not have problems with >16 groups when using NFS & Krb auth, right? Only system authentication is affected by this limitation.
In our case, we had non-krb5 and krb5 on the same share, so that'll be why I had it in.
We've not dealt with the fully qualified case.
jh
I see. Ok, but still rpc.mound is only used by NFSv3 - so the "-g" option is not going to help you with Nfsv4. Sorry for shifting away a bit... O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 18 September 2015 10:29 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] kerberized nfs4 with sssd id mapping
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Hold on, You should not have problems with >16 groups when using NFS & Krb auth, right? Only system authentication is affected by this limitation.
In our case, we had non-krb5 and krb5 on the same share, so that'll be why I had it in.
We've not dealt with the fully qualified case.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org
-
Isaiah Houston -
John Hodrien -
Ondrej Valousek