<div dir="ltr"><div class="markdown-here-wrapper" style>I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got users in FreeIPA that match a subset of users in AD. The NFS server is a FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in nsswitch for providing uids. I use setfacl there with just the uid. The FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0 server configured with a trust with an AD domain. My krb5.conf has <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">dns_lookup_kdc = true</code> and <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">auth_to_local = RULE:[1:$1@$0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/</code> and my sssd.conf has the standard <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">subdomains_provider = ipa</code> and <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">services = ..., pac</code> along with a <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">full_name_format = %1$s</code> to strip the realm name off when displaying the username. From what I understand about NFS ACLs, they should respect the uid reported, which matches, and ignore uidnumbers (which don’t match). From the FreeIPA client I can authenticate as an AD user, but I still don’t have access to the NFS directory with ACLs that should allow me to read. When I do an <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">getfacl</code> on the NFS server I get just the uid, but when I do <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;display:inline;background-color:rgb(248,248,248)">nfs4_getfacl</code> on the FreeIPA/NFS client I get uid@ipa.realm (and no access to the directory). Am I missing something? Best! =================================== Daniel Shown, Linux Systems Administrator Advanced Technology Group <a href="http://www.slu.edu/its">Information Technology Services</a> at <a href="http://www.slu.edu/">Saint Louis University</a>. 314-977-2583 =================================== “The aim of education is the knowledge, not of facts, but of values.” — William S. Burroughs “I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions.” — Seymour R. Cray <img style="background-color: rgb(51, 51, 153);" src="https://sites.google.com/a/slu.edu/slu-its-101/_/rsrc/1303829218862/config/customLogo.gif?revision=2" height="21" width="420"> <div title="MDH:SSdtIHRyeWluZyB0byBnZXQgYSBjbGllbnQgdG8gcmVzcGVjdCBhbiBORlM0IEFDTCBmb3IgYSBk aXJlY3RvcnkuIEkndmUgZ290IHVzZXJzIGluIEZyZWVJUEEgdGhhdCBtYXRjaCBhIHN1YnNldCBv ZiB1c2VycyBpbiBBRC4gVGhlIE5GUyBzZXJ2ZXIgaXMgYSBGcmVlQlNEIGJveCB0aGF0IEkndmUg Z290IGNvbmZpZydlZCB0byB1c2UgRnJlZUlQQSBhcyBhbiBMREFQIHNlcnZpY2UgaW4gbnNzd2l0 Y2ggZm9yIHByb3ZpZGluZyB1aWRzLiBJIHVzZSBzZXRmYWNsIHRoZXJlIHdpdGgganVzdCB0aGUg dWlkLiBUaGUgRnJlZUlQQSBjbGllbnQgd2l0aCB0aGUgTkZTIG1vdW50IChub3Qga2VyYmVyaXpl ZCkgaXMgYW4gVWJ1bnR1IDE0LjA0IGJvdW5kIHRvIGEgRnJlZUlQQSAzLjAgc2VydmVyIChydW5u aW5nIG9uIENlbnRPUyA2LjUpLiBJJ3ZlIGdvdCB0aGUgRnJlZUlQQSAzLjAgc2VydmVyIGNvbmZp Z3VyZWQgd2l0aCBhIHRydXN0IHdpdGggYW4gQUQgZG9tYWluLiBNeSBrcmI1LmNvbmYgaGFzIGBk bnNfbG9va3VwX2tkYyA9IHRydWVgIGFuZCBgYXV0aF90b19sb2NhbCA9IFJVTEU6WzE6JDFAJDBd KF4uKkBBRC5ET01BSU4kKXMvQEFELkRPTUFJTi9AYWQuZG9tYWluL2AgYW5kIG15IHNzc2QuY29u ZiBoYXMgdGhlIHN0YW5kYXJkIGBzdWJkb21haW5zX3Byb3ZpZGVyID0gaXBhYCBhbmQgYHNlcnZp Y2VzID0gLi4uLCBwYWNgIGFsb25nIHdpdGggYSBgZnVsbF9uYW1lX2Zvcm1hdCA9ICUxJHNgIHRv IHN0cmlwIHRoZSByZWFsbSBuYW1lIG9mZiB3aGVuIGRpc3BsYXlpbmcgdGhlIHVzZXJuYW1lLiBG cm9tIHdoYXQgSSB1bmRlcnN0YW5kIGFib3V0IE5GUyBBQ0xzLCB0aGV5IHNob3VsZCByZXNwZWN0 IHRoZSB1aWQgcmVwb3J0ZWQsIHdoaWNoIG1hdGNoZXMsIGFuZCBpZ25vcmUgdWlkbnVtYmVycyAo d2hpY2ggZG9uJ3QgbWF0Y2gpLiDCoEZyb20gdGhlIEZyZWVJUEEgY2xpZW50IEkgY2FuIGF1dGhl bnRpY2F0ZSBhcyBhbiBBRCB1c2VyLCBidXQgSSBzdGlsbCBkb24ndCBoYXZlIGFjY2VzcyB0byB0 aGUgTkZTIGRpcmVjdG9yeSB3aXRoIEFDTHMgdGhhdCBzaG91bGQgYWxsb3cgbWUgdG8gcmVhZC4g V2hlbiBJIGRvIGFuIGBnZXRmYWNsYCBvbiB0aGUgTkZTIHNlcnZlciBJIGdldCBqdXN0IHRoZSB1 aWQsIGJ1dCB3aGVuIEkgZG8gYG5mczRfZ2V0ZmFjbGAgb24gdGhlIEZyZWVJUEEvTkZTIGNsaWVu dCBJIGdldCB1aWRAaXBhLnJlYWxtIChhbmQgbm8gYWNjZXNzIHRvIHRoZSBkaXJlY3RvcnkpLjxk aXY+PGJyPjwvZGl2PjxkaXY+QW0gSSBtaXNzaW5nIHNvbWV0aGluZz88L2Rpdj48ZGl2Pjxicj48 L2Rpdj48ZGl2PkJlc3QhPGJyPjxkaXY+PGRpdj48ZGl2IGRpcj0ibHRyIj49PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PTxicj48ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDogNDBweDsi PjxiIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWwsIGhlbHZldGljYSwgc2Fucy1zZXJpZjsiPkRh bmllbCBTaG93biw8L2I+PGJyIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWwsIGhlbHZldGljYSwg c2Fucy1zZXJpZjsiPkxpbnV4IFN5c3RlbXMgQWRtaW5pc3RyYXRvcjxiciBzdHlsZT0iZm9udC1m YW1pbHk6IGFyaWFsLCBoZWx2ZXRpY2EsIHNhbnMtc2VyaWY7Ij48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6IGFyaWFsLCBoZWx2ZXRpY2EsIHNhbnMtc2VyaWY7Ij5BZHZhbmNlZCBUZWNobm9sb2d5 IEdyb3VwPC9zcGFuPjxiciBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLCBoZWx2ZXRpY2EsIHNh bnMtc2VyaWY7Ij48YSBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLCBoZWx2ZXRpY2EsIHNhbnMt c2VyaWY7IiBocmVmPSJodHRwOi8vd3d3LnNsdS5lZHUvaXRzIiB0YXJnZXQ9Il9ibGFuayI+SW5m b3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczwvYT48YnIgc3R5bGU9ImZvbnQtZmFtaWx5OiBh cmlhbCwgaGVsdmV0aWNhLCBzYW5zLXNlcmlmOyI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBh cmlhbCwgaGVsdmV0aWNhLCBzYW5zLXNlcmlmOyI+YXQgPC9zcGFuPjxhIHN0eWxlPSJmb250LWZh bWlseTogYXJpYWwsIGhlbHZldGljYSwgc2Fucy1zZXJpZjsiIGhyZWY9Imh0dHA6Ly93d3cuc2x1 LmVkdS8iIHRhcmdldD0iX2JsYW5rIj5TYWludCBMb3VpcyBVbml2ZXJzaXR5PC9hPjxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTogYXJpYWwsIGhlbHZldGljYSwgc2Fucy1zZXJpZjsiPi48L3NwYW4+ PGJyIHN0eWxlPSJmb250LWZhbWlseTogYXJpYWwsIGhlbHZldGljYSwgc2Fucy1zZXJpZjsiPjxi ciBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLCBoZWx2ZXRpY2EsIHNhbnMtc2VyaWY7Ij48YSBz dHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsLCBoZWx2ZXRpY2EsIHNhbnMtc2VyaWY7Ij4zMTQtOTc3 LTI1ODM8L2E+PGJyPjwvZGl2Pj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PGJy Pjxicj48ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDogNDBweDsiPiJUaGUgYWltIG9mIGVkdWNhdGlv biA8YnI+aXMgdGhlIGtub3dsZWRnZSwgPGJyPm5vdCBvZiBmYWN0cywgPGJyPmJ1dCBvZiB2YWx1 ZXMuIiZuYnNwOyA8YnI+4oCUJm5ic3A7V2lsbGlhbSBTLiBCdXJyb3VnaHM8YnI+PGJyPiJJ4oCZ bSBzdXBwb3NlZCB0byBiZSZuYnNwOzwvZGl2PjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OiA0MHB4 OyI+YSBzY2llbnRpZmljIHBlcnNvbiZuYnNwOzwvZGl2PjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0 OiA0MHB4OyI+YnV0ICZuYnNwO0kgdXNlIGludHVpdGlvbiZuYnNwOzwvZGl2PjxkaXYgc3R5bGU9 Im1hcmdpbi1sZWZ0OiA0MHB4OyI+bW9yZSB0aGFuIGxvZ2ljJm5ic3A7PC9kaXY+PGRpdiBzdHls ZT0ibWFyZ2luLWxlZnQ6IDQwcHg7Ij5pbiBtYWtpbmcgYmFzaWMmbmJzcDs8L2Rpdj48ZGl2IHN0 eWxlPSJtYXJnaW4tbGVmdDogNDBweDsiPmRlY2lzaW9ucy4iPC9kaXY+PGRpdiBzdHlsZT0ibWFy Z2luLWxlZnQ6IDQwcHg7Ij7igJQgU2V5bW91ciBSLiBDcmF5PC9kaXY+PGRpdiBzdHlsZT0ibWFy Z2luLWxlZnQ6IDQwcHg7Ij48YnI+PC9kaXY+PGltZyBzdHlsZT0iYmFja2dyb3VuZC1jb2xvcjog cmdiKDUxLCA1MSwgMTUzKTsiIHNyYz0iaHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL2Evc2x1LmVk dS9zbHUtaXRzLTEwMS9fL3JzcmMvMTMwMzgyOTIxODg2Mi9jb25maWcvY3VzdG9tTG9nby5naWY/ cmV2aXNpb249MiIgaGVpZ2h0PSIyMSIgd2lkdGg9IjQyMCI+PGJyPjwvZGl2PjwvZGl2Pgo8L2Rp dj48L2Rpdj4=" style="height:0;font-size:0em;padding:0;margin:0"></div></div></div>