NFSv4 + SSSD + Active Directory: 'nobody' permissions when ldap_id_mapping disablednfs4 rpc.idmapd not working on one machineUbuntu 12.04, Windows 2012 Active Directory Integration, Kerberos won't resolve service principalsHow do i get centos 7 to use uids and gids from active directory?Linux AD integration, unable to login when using Windows Server 2012 DCLDAP + KERBEROS + NFS. Why do I need idmapd?Set up Samba with Active Directory and local user authenticationApache userdir over Kerberized NFSv4 mount : Forbidden accessSSSD AD synchronization fails after Active Directory UPN changeSSSD AD Integration - Clarification on Computer to join ADDebian 9 Joined to Active Directory
What is the purpose of building foundations?
Incremental Ranges!
Explain Ant-Man's "not it" scene from Avengers: Endgame
Shrink exponential fraction argument
How certain is a caster of when their spell will end?
Count down from 0 to 5 seconds and repeat
How to pass a regex when finding a directory path in bash?
Do manufacturers try make their components as close to ideal ones as possible?
Riley's, assemble!
What are they doing to this poor rocket?
Could the Missouri River be running while Lake Michigan was frozen several meters deep?
What do we gain with higher order logics?
Diet Coke or water?
Comma Code - Ch. 4 Automate the Boring Stuff
Accidentally cashed a check twice
Who operates delivery flights for commercial airlines?
What is the right way to float a home lab?
Is it legal in the UK for politicians to lie to the public for political gain?
How to make a setting relevant?
If Boris Johnson were prosecuted and convicted of lying about Brexit, can that be used to cancel Brexit?
Pros and cons of writing a book review?
Secure offsite backup, even in the case of hacker root access
Convert camelCase and PascalCase to Title Case
Accidentally renamed tar.gz file to a non tar.gz file, will my file be messed up
NFSv4 + SSSD + Active Directory: 'nobody' permissions when ldap_id_mapping disabled
nfs4 rpc.idmapd not working on one machineUbuntu 12.04, Windows 2012 Active Directory Integration, Kerberos won't resolve service principalsHow do i get centos 7 to use uids and gids from active directory?Linux AD integration, unable to login when using Windows Server 2012 DCLDAP + KERBEROS + NFS. Why do I need idmapd?Set up Samba with Active Directory and local user authenticationApache userdir over Kerberized NFSv4 mount : Forbidden accessSSSD AD synchronization fails after Active Directory UPN changeSSSD AD Integration - Clarification on Computer to join ADDebian 9 Joined to Active Directory
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm attempting to configure NFSv4 with KRB5 authentication in accordance with RedHat's current recommendations, using SSSD to access Active Directory. The NFS server in this case is a NAS appliance, which handles user mapping between user@domain accounts and UIDs/GIDs pulled from AD/LDS. I've disabled the ID mapping in SSSD, as the NAS doesn't have the same hash+modulus method available to calculate "homemade" IDs.
In its current state, the NAS recognizes the user and group ownership for file permissions, and enforces them as expected. However, ls output from the client displays nobody nobody on any files/folders owned by a domain user.
[root@nfsclient ~]# ls -al /mnt/nfs4test/
total 0
drwxr-xr-x. 1 nobody nobody 0 Jul 17 10:46 .
drwxr-xr-x. 3 root root 22 Jul 17 10:47 ..
With logging verbosity maxed for idmapd and sssd, the only event I've seen indicating any issue is:Jul 17 11:48:23 nfsclient nfsidmap[10601]: nss_getpwnam: name 'nfsadmin' not found in domain 'testdomain.local'
I've also confirmed via packet capture that the expected user/group name strings are being returned for owner and group (not IDs) in the lookup reply:
fattr4_owner: nfsadmin@testdomain.local
fattr4_owner_group: Domain Admins@testdomain.local
Environment consists of a 2012R2 DC, CentOS 7.3 client, and a vendor-proprietary (CentOS-based) NAS appliance acting as the server. Aside from installing requisite packages and IP / NTP configuration, these are my configuration steps on the client:
- Add
Domain = testdomain.localto /etc/idmapd.conf - Join AD domain with
realm join testdomain.local -U nfsadmin - Allow SSH access from all domain users (realm allow)
- Set
ldap_id_mapping = Falsein /etc/sssd/sssd.conf - Enable/start/restart sssd.service rpcgssd rpcidmapd and nfs-secure
- Mount export with
sec=systo change ownership over to domain user - Re-mount with sec=krb5
Whether using sec=sys or sec=krb5, root or a domain account, ls output is the same.
The only applicable solutions I've found in my searching have pointed to the need for creating local accounts for the users, but it seems like this would defeat the purpose of AD integration. I'd expect it to be possible to create a new AD user, add them to proper groups for access permissions, set UID/GID, then that user should be able to access files on the export once they've SSH'd to the client machine.
The client configuration is purely pulling data from Active Directory (only the server/NAS utilizes AD/LDS). UIDs/GIDs in active directory were manually populated via PowerShell (e.g. Get-ADUser "nfsadmin" | Set-AdUser -replace @uidNumber=10001 - trying to make this 2016 compatible and avoid using adminui/nis or the UNIX Attributes tab, even though I'm testing on 2012R2 at the moment)
How can I get NSS / nfsidmap to properly translate domain user/group names returned by the server?
I'd strongly prefer something that doesn't involve manual local account creation for each individual user so scaling to thousands of users doesn't become a huge pain. Also, forcing the server (NAS appliance in this instance) to return IDs instead of names is not possible.
active-directory ldap kerberos nfs4
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
add a comment |
I'm attempting to configure NFSv4 with KRB5 authentication in accordance with RedHat's current recommendations, using SSSD to access Active Directory. The NFS server in this case is a NAS appliance, which handles user mapping between user@domain accounts and UIDs/GIDs pulled from AD/LDS. I've disabled the ID mapping in SSSD, as the NAS doesn't have the same hash+modulus method available to calculate "homemade" IDs.
In its current state, the NAS recognizes the user and group ownership for file permissions, and enforces them as expected. However, ls output from the client displays nobody nobody on any files/folders owned by a domain user.
[root@nfsclient ~]# ls -al /mnt/nfs4test/
total 0
drwxr-xr-x. 1 nobody nobody 0 Jul 17 10:46 .
drwxr-xr-x. 3 root root 22 Jul 17 10:47 ..
With logging verbosity maxed for idmapd and sssd, the only event I've seen indicating any issue is:Jul 17 11:48:23 nfsclient nfsidmap[10601]: nss_getpwnam: name 'nfsadmin' not found in domain 'testdomain.local'
I've also confirmed via packet capture that the expected user/group name strings are being returned for owner and group (not IDs) in the lookup reply:
fattr4_owner: nfsadmin@testdomain.local
fattr4_owner_group: Domain Admins@testdomain.local
Environment consists of a 2012R2 DC, CentOS 7.3 client, and a vendor-proprietary (CentOS-based) NAS appliance acting as the server. Aside from installing requisite packages and IP / NTP configuration, these are my configuration steps on the client:
- Add
Domain = testdomain.localto /etc/idmapd.conf - Join AD domain with
realm join testdomain.local -U nfsadmin - Allow SSH access from all domain users (realm allow)
- Set
ldap_id_mapping = Falsein /etc/sssd/sssd.conf - Enable/start/restart sssd.service rpcgssd rpcidmapd and nfs-secure
- Mount export with
sec=systo change ownership over to domain user - Re-mount with sec=krb5
Whether using sec=sys or sec=krb5, root or a domain account, ls output is the same.
The only applicable solutions I've found in my searching have pointed to the need for creating local accounts for the users, but it seems like this would defeat the purpose of AD integration. I'd expect it to be possible to create a new AD user, add them to proper groups for access permissions, set UID/GID, then that user should be able to access files on the export once they've SSH'd to the client machine.
The client configuration is purely pulling data from Active Directory (only the server/NAS utilizes AD/LDS). UIDs/GIDs in active directory were manually populated via PowerShell (e.g. Get-ADUser "nfsadmin" | Set-AdUser -replace @uidNumber=10001 - trying to make this 2016 compatible and avoid using adminui/nis or the UNIX Attributes tab, even though I'm testing on 2012R2 at the moment)
How can I get NSS / nfsidmap to properly translate domain user/group names returned by the server?
I'd strongly prefer something that doesn't involve manual local account creation for each individual user so scaling to thousands of users doesn't become a huge pain. Also, forcing the server (NAS appliance in this instance) to return IDs instead of names is not possible.
active-directory ldap kerberos nfs4
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
add a comment |
I'm attempting to configure NFSv4 with KRB5 authentication in accordance with RedHat's current recommendations, using SSSD to access Active Directory. The NFS server in this case is a NAS appliance, which handles user mapping between user@domain accounts and UIDs/GIDs pulled from AD/LDS. I've disabled the ID mapping in SSSD, as the NAS doesn't have the same hash+modulus method available to calculate "homemade" IDs.
In its current state, the NAS recognizes the user and group ownership for file permissions, and enforces them as expected. However, ls output from the client displays nobody nobody on any files/folders owned by a domain user.
[root@nfsclient ~]# ls -al /mnt/nfs4test/
total 0
drwxr-xr-x. 1 nobody nobody 0 Jul 17 10:46 .
drwxr-xr-x. 3 root root 22 Jul 17 10:47 ..
With logging verbosity maxed for idmapd and sssd, the only event I've seen indicating any issue is:Jul 17 11:48:23 nfsclient nfsidmap[10601]: nss_getpwnam: name 'nfsadmin' not found in domain 'testdomain.local'
I've also confirmed via packet capture that the expected user/group name strings are being returned for owner and group (not IDs) in the lookup reply:
fattr4_owner: nfsadmin@testdomain.local
fattr4_owner_group: Domain Admins@testdomain.local
Environment consists of a 2012R2 DC, CentOS 7.3 client, and a vendor-proprietary (CentOS-based) NAS appliance acting as the server. Aside from installing requisite packages and IP / NTP configuration, these are my configuration steps on the client:
- Add
Domain = testdomain.localto /etc/idmapd.conf - Join AD domain with
realm join testdomain.local -U nfsadmin - Allow SSH access from all domain users (realm allow)
- Set
ldap_id_mapping = Falsein /etc/sssd/sssd.conf - Enable/start/restart sssd.service rpcgssd rpcidmapd and nfs-secure
- Mount export with
sec=systo change ownership over to domain user - Re-mount with sec=krb5
Whether using sec=sys or sec=krb5, root or a domain account, ls output is the same.
The only applicable solutions I've found in my searching have pointed to the need for creating local accounts for the users, but it seems like this would defeat the purpose of AD integration. I'd expect it to be possible to create a new AD user, add them to proper groups for access permissions, set UID/GID, then that user should be able to access files on the export once they've SSH'd to the client machine.
The client configuration is purely pulling data from Active Directory (only the server/NAS utilizes AD/LDS). UIDs/GIDs in active directory were manually populated via PowerShell (e.g. Get-ADUser "nfsadmin" | Set-AdUser -replace @uidNumber=10001 - trying to make this 2016 compatible and avoid using adminui/nis or the UNIX Attributes tab, even though I'm testing on 2012R2 at the moment)
How can I get NSS / nfsidmap to properly translate domain user/group names returned by the server?
I'd strongly prefer something that doesn't involve manual local account creation for each individual user so scaling to thousands of users doesn't become a huge pain. Also, forcing the server (NAS appliance in this instance) to return IDs instead of names is not possible.
active-directory ldap kerberos nfs4
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
I'm attempting to configure NFSv4 with KRB5 authentication in accordance with RedHat's current recommendations, using SSSD to access Active Directory. The NFS server in this case is a NAS appliance, which handles user mapping between user@domain accounts and UIDs/GIDs pulled from AD/LDS. I've disabled the ID mapping in SSSD, as the NAS doesn't have the same hash+modulus method available to calculate "homemade" IDs.
In its current state, the NAS recognizes the user and group ownership for file permissions, and enforces them as expected. However, ls output from the client displays nobody nobody on any files/folders owned by a domain user.
[root@nfsclient ~]# ls -al /mnt/nfs4test/
total 0
drwxr-xr-x. 1 nobody nobody 0 Jul 17 10:46 .
drwxr-xr-x. 3 root root 22 Jul 17 10:47 ..
With logging verbosity maxed for idmapd and sssd, the only event I've seen indicating any issue is:Jul 17 11:48:23 nfsclient nfsidmap[10601]: nss_getpwnam: name 'nfsadmin' not found in domain 'testdomain.local'
I've also confirmed via packet capture that the expected user/group name strings are being returned for owner and group (not IDs) in the lookup reply:
fattr4_owner: nfsadmin@testdomain.local
fattr4_owner_group: Domain Admins@testdomain.local
Environment consists of a 2012R2 DC, CentOS 7.3 client, and a vendor-proprietary (CentOS-based) NAS appliance acting as the server. Aside from installing requisite packages and IP / NTP configuration, these are my configuration steps on the client:
- Add
Domain = testdomain.localto /etc/idmapd.conf - Join AD domain with
realm join testdomain.local -U nfsadmin - Allow SSH access from all domain users (realm allow)
- Set
ldap_id_mapping = Falsein /etc/sssd/sssd.conf - Enable/start/restart sssd.service rpcgssd rpcidmapd and nfs-secure
- Mount export with
sec=systo change ownership over to domain user - Re-mount with sec=krb5
Whether using sec=sys or sec=krb5, root or a domain account, ls output is the same.
The only applicable solutions I've found in my searching have pointed to the need for creating local accounts for the users, but it seems like this would defeat the purpose of AD integration. I'd expect it to be possible to create a new AD user, add them to proper groups for access permissions, set UID/GID, then that user should be able to access files on the export once they've SSH'd to the client machine.
The client configuration is purely pulling data from Active Directory (only the server/NAS utilizes AD/LDS). UIDs/GIDs in active directory were manually populated via PowerShell (e.g. Get-ADUser "nfsadmin" | Set-AdUser -replace @uidNumber=10001 - trying to make this 2016 compatible and avoid using adminui/nis or the UNIX Attributes tab, even though I'm testing on 2012R2 at the moment)
How can I get NSS / nfsidmap to properly translate domain user/group names returned by the server?
I'd strongly prefer something that doesn't involve manual local account creation for each individual user so scaling to thousands of users doesn't become a huge pain. Also, forcing the server (NAS appliance in this instance) to return IDs instead of names is not possible.
active-directory ldap kerberos nfs4
active-directory ldap kerberos nfs4
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
edited Jul 18 '17 at 16:43
JimNim
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
asked Jul 17 '17 at 18:48
JimNimJimNim
2,516823
2,516823
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
idmapd was utilizing nsswitch as a default in this case, but the AD integration methods detailed in the document referenced above have no reference to any idmapd.conf modifications.
Comments in idmapd.conf state "Distributed methods include nsswitch, umich_ldap, and static." This isn't a comprehensive list of plugins however, and system security services (sss) should be used in this case.
/etc/idmapd.conf:
[General]
Domain = testdomain.local
[Translation]
Method = sss
This became apparent to me when I realized that sss was handling mapping perfectly when ldap_id_mapping was still enabled (but causing server-side mapping issues w/ the NAS appliance), and the "could not be found in domain" error was being reported by nss_getpwnam.
I'm still not clear on why NSS couldn't get the job done when sss is one of the listed db's for passwd and group in nsswitch.conf, but the above change gets the job done.
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f862620%2fnfsv4-sssd-active-directory-nobody-permissions-when-ldap-id-mapping-disab%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
idmapd was utilizing nsswitch as a default in this case, but the AD integration methods detailed in the document referenced above have no reference to any idmapd.conf modifications.
Comments in idmapd.conf state "Distributed methods include nsswitch, umich_ldap, and static." This isn't a comprehensive list of plugins however, and system security services (sss) should be used in this case.
/etc/idmapd.conf:
[General]
Domain = testdomain.local
[Translation]
Method = sss
This became apparent to me when I realized that sss was handling mapping perfectly when ldap_id_mapping was still enabled (but causing server-side mapping issues w/ the NAS appliance), and the "could not be found in domain" error was being reported by nss_getpwnam.
I'm still not clear on why NSS couldn't get the job done when sss is one of the listed db's for passwd and group in nsswitch.conf, but the above change gets the job done.
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
add a comment |
idmapd was utilizing nsswitch as a default in this case, but the AD integration methods detailed in the document referenced above have no reference to any idmapd.conf modifications.
Comments in idmapd.conf state "Distributed methods include nsswitch, umich_ldap, and static." This isn't a comprehensive list of plugins however, and system security services (sss) should be used in this case.
/etc/idmapd.conf:
[General]
Domain = testdomain.local
[Translation]
Method = sss
This became apparent to me when I realized that sss was handling mapping perfectly when ldap_id_mapping was still enabled (but causing server-side mapping issues w/ the NAS appliance), and the "could not be found in domain" error was being reported by nss_getpwnam.
I'm still not clear on why NSS couldn't get the job done when sss is one of the listed db's for passwd and group in nsswitch.conf, but the above change gets the job done.
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
add a comment |
idmapd was utilizing nsswitch as a default in this case, but the AD integration methods detailed in the document referenced above have no reference to any idmapd.conf modifications.
Comments in idmapd.conf state "Distributed methods include nsswitch, umich_ldap, and static." This isn't a comprehensive list of plugins however, and system security services (sss) should be used in this case.
/etc/idmapd.conf:
[General]
Domain = testdomain.local
[Translation]
Method = sss
This became apparent to me when I realized that sss was handling mapping perfectly when ldap_id_mapping was still enabled (but causing server-side mapping issues w/ the NAS appliance), and the "could not be found in domain" error was being reported by nss_getpwnam.
I'm still not clear on why NSS couldn't get the job done when sss is one of the listed db's for passwd and group in nsswitch.conf, but the above change gets the job done.
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
idmapd was utilizing nsswitch as a default in this case, but the AD integration methods detailed in the document referenced above have no reference to any idmapd.conf modifications.
Comments in idmapd.conf state "Distributed methods include nsswitch, umich_ldap, and static." This isn't a comprehensive list of plugins however, and system security services (sss) should be used in this case.
/etc/idmapd.conf:
[General]
Domain = testdomain.local
[Translation]
Method = sss
This became apparent to me when I realized that sss was handling mapping perfectly when ldap_id_mapping was still enabled (but causing server-side mapping issues w/ the NAS appliance), and the "could not be found in domain" error was being reported by nss_getpwnam.
I'm still not clear on why NSS couldn't get the job done when sss is one of the listed db's for passwd and group in nsswitch.conf, but the above change gets the job done.
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
answered Jul 17 '17 at 21:22
JimNimJimNim
2,516823
2,516823
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f862620%2fnfsv4-sssd-active-directory-nobody-permissions-when-ldap-id-mapping-disab%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
