11

I've been trying to get LDAP authentication and NFS exported home directories on CentOS 6 working for a few days now. I've gotten to the point that I can now login to the client machine using the username and password in LDAP. On the client, /home and /opt are mounted in the fstab over NFS. However, every file in both /opt and /home is owned by nobody:nobody (uid: 99, gid: 99) on the client.

However my uid and gid appear to be properly set:

-bash-4.1$ id
uid=3000(myusername) gid=3000(employees) groups=3000(employees)

What else can I check? Here are some the config files on my client:

/etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam

domains = default
[nss]

[pam]


[domain/default]
auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=mycompany,dc=com
id_provider = ldap
ldap_uri = ldaps://server.subdomain.mycompany.com
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts

# Configure client certificate auth.
ldap_tls_cert = /etc/openldap/cacerts/client.pem
ldap_tls_key = /etc/openldap/cacerts/client.pem
ldap_tls_reqcert = demand

/etc/fstab

/dev/mapper/vg_main-lv_root /                       ext4    defaults        1 1
UUID=4e43a15d-4dc0-4836-8fa6-c3445fde756c /boot                   ext4    defaults        1 2
/dev/mapper/vg_main-lv_swap swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
storage1:/nas/home  /home  nfs   soft,intr,rsize=8192,wsize=8192
storage1:/nas/opt  /opt  nfs   soft,intr,rsize=8192,wsize=8192

authconfig output:

[root@test1 ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldaps://server.subdomain.mycompany.com"
 LDAP base DN = "dc=mycompany,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldaps://server.subdomain.mycompany.com"
 LDAP base DN = "dc=mycompany,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
jamieb
  • 3,387
  • 4
  • 24
  • 36
  • Don't you need to connect your NAS to LDAP as well if you want it to see the same ID's than your guests? – Yanick Girouard Feb 28 '12 at 19:29
  • Yanick, thanks for the reply. My NAS unit is actually just another CentOS box running a NFS daemon. It's configured the same as my other LDAP clients and has the same "nobody" problem. – jamieb Feb 28 '12 at 20:02

6 Answers6

23

An note to add to this for google searchers - we had the same issue where no matter what we did, the nfs mount would not map the user ids correctly.

The issue was idmapd had cached the incorrect ids from the faulty configuration, and no fixing of the configuration would sort it.

The command on centos to fix this was nfsidmap -c (clear cache).

Hopefully this helps some desparate searcher..

Sam
  • 399
  • 3
  • 3
  • You made my day. Without `nfsidmap -c` any changes made to `/etc/idmapd.conf` wasn't working. – QkiZ Dec 09 '21 at 23:14
18

Solved!

I happened to notice this line in /var/log/messages on my NFS server when I was attempting to mount an export from the remote client:

Feb 28 15:54:02 storage1 rpc.idmapd[1651]: nss_getpwnam: name 'nobody' does not map into domain 'localdomain'

This caused me to look at the first few lines of /etc/idmapd.conf:

[General]
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu

I then added Domain=subdomain.mycompany.com under the commented out "Domain" line. Saved, exited and then ran /etc/init.d/rpcidmapd restart and /etc/init.d/nfs restart.

jamieb
  • 3,387
  • 4
  • 24
  • 36
1

Is your NFS server running Centos/RHEL 5 by any chance?

If so, it is exporting NFSv3. NFSv4 is now the default for Centos6 (and recent Ubuntu variants).

The quick fix is to add "vers=3" in the mounting options in /etc/fstab .

e.g.

//10.0.0.1:/home /home nfs defaults,vers=3,rw,noatime 0 0

NcA
  • 441
  • 2
  • 8
  • Thanks for the suggestion. The LDAP server, client, and NFS server are all running CentOS 6.2. I get a permission denied error on the client when I attempt to mount it with the version 3 option. – jamieb Feb 28 '12 at 20:04
  • Are you testing this as the root user? Some useful light reading http://www.linuxtopia.org/online_books/rhel6/rhel_6_storage_admin/rhel_6_storage_s2-nfs-security-files.html . Might be worth enabling no_root_squash on the NFS server. – NcA Feb 28 '12 at 20:19
  • Solved (see answer below)! Thanks for getting me thinking more about NFS since I was looking mostly at LDAP. – jamieb Feb 28 '12 at 21:06
1

I found a blog post that might resolve your issue: http://whacked.net/2006/07/26/nfsv4nfs-mapid-nobody-domain/ which I found from the following forum post: https://www.centos.org/modules/newbb/viewtopic.php?topic_id=32977

Yanick Girouard
  • 2,295
  • 1
  • 17
  • 18
0

Everything being mapped to "nobody" sounds like all_squash is turned on.

Take a look at:

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-server-config-exports.html

and verify that the NFS server's /etc/exports file doesn't unintentionally squash the UIDs. "no_all_squash" is supposed to be default, but you can try explicitly setting it and seeing what happens.

cjc
  • 24,533
  • 2
  • 49
  • 69
  • 1
    No luck, unfortunately. But interestingly, `mount storage1:/nas/opt /mnt/test` on the standalone client still gives me the "nobody" problem, yet the same command on the NFS server works without issue. I wish I knew whether this was a NFS or SSSD/NSS problem. – jamieb Feb 28 '12 at 20:33
0

The fix for me is to make sure the DNS record exists for the local machine. Also helps if the reverse lookup record also exists. As a result, the nobody user and group was replaced by root. How simple is that?!? P.S. remember to reboot the local machine once the DNS records are created.