Unable to map local user

Bonacum, Ernie ETB2 at PGE.COM
Mon May 5 19:08:18 EDT 2008 

I could use some help trying to figure out the next steps to figure out
what is going wrong with a Kerberos/NFS initial installation on an AIX
5.3 system. I've followed several guides and I think everything checks
out, but it obviously does not work.

On the NFS server (foodev01) /tmp/syslog.out file, I am getting the
error:
May  5 14:52:17 foodev01 user:debug syslog: nfsrgyd: Unable to map local
user (foouser) to a foreign user
May  5 14:52:17 foodev01 user:debug syslog: nfsrgyd: Unable to map local
group (foouser) to a foreign group

In the Securing NFS for AIX guide, this error shows up and they have you
change the NFS domain mapping. I've tried a number of variations of this
and none seem to work.

On the NFS server, chnfsrtd returns:
root at foodev01:/etc/krb5=# chnfsrtd
realm.dev.foo.com dev.foo.com

I've also tried it with "realm.dev.foo.com foo.com" and
"realm.dev.foo.com comp.foo.com"

On the NFS server, chnfsdom returns:
root at foodev01:/etc/krb5=# chnfsdom
Current local domain: dev.foo.com

My /etc/hosts is:
127.0.0.1               loopback localhost      # loopback (lo0)
name/address
10.244.111.50  fookdcdev01.comp.foo.com fookdcdev01	# KDC
10.244.111.51  foodev01.comp.foo.com foodev01		# NFS Server
10.244.111.52  footst02.comp.foo.com footst02		# NFS Client

On the NFS Client (footst02) I get:
root at footst02:/home/root=# chnfsrtd
realm.dev.foo.com dev.foo.com
root at footst02:/home/root=# chnfsdom
Current local domain: dev.foo.com

Each time I've made a change to the NFS info on the server and the
client, I've stopped all the NFS daemons, did a nfsrgyd -f (to flush the
cache) and then restarted the daemons.

On the KDC server, I can list the principals:
kadmin:  listprincs
K/M at REALM.DEV.FOO.COM
admin/admin at REALM.DEV.FOO.COM
host/wllogdev03.comp.foo.com at REALM.DEV.FOO.COM
host/footst02.comp.foo.com at REALM.DEV.FOO.COM
kadmin/admin at REALM.DEV.FOO.COM
kadmin/changepw at REALM.DEV.FOO.COM
kadmin/history at REALM.DEV.FOO.COM
krbtgt/REALM.DEV.FOO.COM at REALM.DEV.FOO.COM
nfs/foodev01.comp.foo.com at REALM.DEV.FOO.COM
nfs/footst02.comp.foo.com at REALM.DEV.FOO.COM
root/foodev01.comp.foo.com at REALM.DEV.FOO.COM
root/footst02.comp.foo.com at REALM.DEV.FOO.COM
foouser at REALM.DEV.FOO.COM
fookrb5 at REALM.DEV.FOO.COM

I check the tickets and can successfully renew tickets for root and
foouser on the NFS server and the client. The NFS filesystems are
exported and mount without any errors. 

So what can be done to analyze this and track down the source of the
error?

More information about the Kerberos mailing list