Re: NFS uses wrong domain in SETATTR

[Bryan Schumaker <bjschuma@gmail.com>]

On 08/06/2013 10:53 PM, Brian De Wolf wrote:
> On Tue, 6 Aug 2013 13:07:49 -0700
> Bryan Schumaker <bjschuma@gmail.com> wrote:
> 
>> Hi Brian,
>>
>> I'm sorry it took so long to reply to you, but you haven't been
>> forgotten!  I've set up kerberos using freeipa on my own test system
>> but I haven't been able to reproduce the bug you're seeing.  I had it
>> working by using my kerberos domain set in /etc/idmap.conf and I saw
>> the new domain go over the wire when I changed it in idmap.conf.  Do
>> I need to do anything more to mimic your setup?
>>
> 
> Thanks for responding!  It seems like DNS might be where the wrong
> kerberos domain is coming from.  Is your test client in the same domain
> as your kerberos realm?  My clients aren't, and the subdomain they're
> in is what is sent in the NFS requests.
> 
> I was able to test this by preferring files for hosts in nsswitch.conf
> and overriding the host's name in /etc/hosts.  Normally the host is
> under unx.csupomona.edu.  Moving the host to csupomona.edu in hosts
> (and rebooting) causes chgrp to start working.  When I revert the
> nsswitch and hosts changes chgrp keeps working until another reboot.
> 
> I hope this helps you reproduce this issue.  Let me know if there is
> any other information you need.
> 

Have you made sure to reboot or restart idmapd after making changes to /etc/idmap.conf?  The only time I've been able to reproduce this is when the config file has been changed but not reloaded.

Bryan