[29791] in Kerberos
Unable to map local user
daemon@ATHENA.MIT.EDU (Bonacum, Ernie)
Mon May 5 19:09:39 2008
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 5 May 2008 16:08:18 -0700
Message-ID: <164D0ACCBE2F464FAD73C5F29D7A594102DBAAF2@exchange15.Utility.pge.com>
From: "Bonacum, Ernie" <ETB2@PGE.COM>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I could use some help trying to figure out the next steps to figure out
what is going wrong with a Kerberos/NFS initial installation on an AIX
5.3 system. I've followed several guides and I think everything checks
out, but it obviously does not work.
On the NFS server (foodev01) /tmp/syslog.out file, I am getting the
error:
May 5 14:52:17 foodev01 user:debug syslog: nfsrgyd: Unable to map local
user (foouser) to a foreign user
May 5 14:52:17 foodev01 user:debug syslog: nfsrgyd: Unable to map local
group (foouser) to a foreign group
In the Securing NFS for AIX guide, this error shows up and they have you
change the NFS domain mapping. I've tried a number of variations of this
and none seem to work.
On the NFS server, chnfsrtd returns:
root@foodev01:/etc/krb5=# chnfsrtd
realm.dev.foo.com dev.foo.com
I've also tried it with "realm.dev.foo.com foo.com" and
"realm.dev.foo.com comp.foo.com"
On the NFS server, chnfsdom returns:
root@foodev01:/etc/krb5=# chnfsdom
Current local domain: dev.foo.com
My /etc/hosts is:
127.0.0.1 loopback localhost # loopback (lo0)
name/address
10.244.111.50 fookdcdev01.comp.foo.com fookdcdev01 # KDC
10.244.111.51 foodev01.comp.foo.com foodev01 # NFS Server
10.244.111.52 footst02.comp.foo.com footst02 # NFS Client
On the NFS Client (footst02) I get:
root@footst02:/home/root=# chnfsrtd
realm.dev.foo.com dev.foo.com
root@footst02:/home/root=# chnfsdom
Current local domain: dev.foo.com
Each time I've made a change to the NFS info on the server and the
client, I've stopped all the NFS daemons, did a nfsrgyd -f (to flush the
cache) and then restarted the daemons.
On the KDC server, I can list the principals:
kadmin: listprincs
K/M@REALM.DEV.FOO.COM
admin/admin@REALM.DEV.FOO.COM
host/wllogdev03.comp.foo.com@REALM.DEV.FOO.COM
host/footst02.comp.foo.com@REALM.DEV.FOO.COM
kadmin/admin@REALM.DEV.FOO.COM
kadmin/changepw@REALM.DEV.FOO.COM
kadmin/history@REALM.DEV.FOO.COM
krbtgt/REALM.DEV.FOO.COM@REALM.DEV.FOO.COM
nfs/foodev01.comp.foo.com@REALM.DEV.FOO.COM
nfs/footst02.comp.foo.com@REALM.DEV.FOO.COM
root/foodev01.comp.foo.com@REALM.DEV.FOO.COM
root/footst02.comp.foo.com@REALM.DEV.FOO.COM
foouser@REALM.DEV.FOO.COM
fookrb5@REALM.DEV.FOO.COM
I check the tickets and can successfully renew tickets for root and
foouser on the NFS server and the client. The NFS filesystems are
exported and mount without any errors.
So what can be done to analyze this and track down the source of the
error?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
