<div dir="ltr">Thanks Alexander,<div> </div><div>That's the confirmation I was looking for. Indeed the Synology guy admitted it was their limitation.</div><div> </div><div>I have already made a feature request for SSSD.</div><div> </div><div>I guess for now I will just get it running with sec=sys.</div><div> </div><div>Best regards, Roberto</div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">On 20 August 2015 at 11:32, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, 20 Aug 2015, Roberto Cornacchia wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I had Synology support inspect my configuration. They said that the authorization for the mapping looks for attribute "GSSAuthName" in LDAP, but doesn't find it. Therefore, they fall back to mapping it to nobody. Does this make sense to you? Is it true that GSSAuthName attribute isn't there? </blockquote> FreeIPA does not use UMich LDAP schema developed for NFS. Instead, as we store Kerberos principals in LDAP, for each Kerberos principal there is always krbPrincipalName attribute available. But on SSSD clients we instead recommend using SSSD-based identity mapping in /etc/idmap.conf (using sss module) as it is relying on SSSD caching capabilities and in general is more performance efficient. For direct use of UMich LDAP module in NFSv4 idmap you would have idmapd module to query LDAP server on each GSSAPI connection and since there is no state umich_ldap.so module, it will re-connect to LDAP every time which is highly inefficient. That's why I recommended to suggest Synology to integrate SSSD in their OS and have real benefits in improved Kerberos/AD/LDAP/FreeIPA support.<div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 13 August 2015 at 16:34, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Thu, 13 Aug 2015, Roberto Cornacchia wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> After some more investigation, I feel the problem I described can be considered off topic, sorry about that. Initially I had the impression it could have been more freeIPA-related. It is sometimes difficult to tell whether the issue would show up regardless of using freeIPA or not. Should anyone be curious, these are my findings about using a Synology disk station for NFSv4+krb5 exports in my freeIPA domain: - Still no idea why I see all those "Unspecified GSS failure" from gssproxy on the client side. Google tells me that many before me have wondered about it. Has anyone a clue? - The NFS4+krb5 mounting works, but what I ran into is the "nobody" issue. NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence the "nobody" issue - One first problem is that I had not set the domain. My bad. Fixed and got one step further. in idmapd.conf: Domain = <a href="http://hq.spinque.com" rel="noreferrer" target="_blank">hq.spinque.com</a> - The second problem is that idmapd.conf in my synology says: Method=nsswitch GSS-Methods=static,synomap No idea what "synomap" would be, but I guess GSS-Methods should be more like "static,nsswitch,synomap" Indeed, everything works fine if I make static mappings for each LDAP user to a local user in Synology. But that's not how I want it. - Problem with all this is: no matter how I change these files, the next time I would save something from the Synology UI, these files would be overwritten Frustrating :( </blockquote> I would only suggest you to raise the problem with Synology support and convince them adding SSSD build and use it. SSSD has nfsidmap module 'sss' that does the right job on mapping based on what SSSD knows about Kerberos principals and user mapping for the domain. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 12 August 2015 at 13:33, Roberto Cornacchia < <a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> wrote: </blockquote> Enabled verbose output for rpc.idmapd as well, and now I see: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> nfsidmap[5034]: nss_getpwnam: name 'test1_l@localdomain' does not map into domain '<a href="http://hq.spinque.com" rel="noreferrer" target="_blank">hq.spinque.com</a>' On 12 August 2015 at 12:28, Roberto Cornacchia < <a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>> wrote: I have used <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv" in /etc/sysconfig/nfs , as suggested in <a href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html" rel="noreferrer" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html</a> In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). It still doesn't tell me much, perhaps I'm missing something? rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3328]: process_krb5_upcall: service is '<null>' rpc.gssd[3328]: Full hostname for '<a href="http://spinque03.hq.spinque.com" rel="noreferrer" target="_blank">spinque03.hq.spinque.com</a>' is ' <a href="http://spinque03.hq.spinque.com" rel="noreferrer" target="_blank">spinque03.hq.spinque.com</a>' rpc.gssd[3328]: Full hostname for '<a href="http://meson.hq.spinque.com" rel="noreferrer" target="_blank">meson.hq.spinque.com</a>' is ' <a href="http://meson.hq.spinque.com" rel="noreferrer" target="_blank">meson.hq.spinque.com</a>' rpc.gssd[3328]: No key table entry found for MESON$@<a href="http://HQ.SPINQUE.COM" rel="noreferrer" target="_blank">HQ.SPINQUE.COM</a> while getting keytab entry for 'MESON$@<a href="http://HQ.SPINQUE.COM" rel="noreferrer" target="_blank">HQ.SPINQUE.COM</a>' rpc.gssd[3328]: No key table entry found for root/ <a href="mailto:meson.hq.spinque.com@HQ.SPINQUE.COM" target="_blank">meson.hq.spinque.com@HQ.SPINQUE.COM</a> while getting keytab entry for 'root/ <a href="mailto:meson.hq.spinque.com@HQ.SPINQUE.COM" target="_blank">meson.hq.spinque.com@HQ.SPINQUE.COM</a>' rpc.gssd[3328]: No key table entry found for nfs/ <a href="mailto:meson.hq.spinque.com@HQ.SPINQUE.COM" target="_blank">meson.hq.spinque.com@HQ.SPINQUE.COM</a> while getting keytab entry for 'nfs/ <a href="mailto:meson.hq.spinque.com@HQ.SPINQUE.COM" target="_blank">meson.hq.spinque.com@HQ.SPINQUE.COM</a>' rpc.gssd[3328]: Success getting keytab entry for 'host/ <a href="mailto:meson.hq.spinque.com@HQ.SPINQUE.COM" target="_blank">meson.hq.spinque.com@HQ.SPINQUE.COM</a>' rpc.gssd[3328]: Successfully obtained machine credentials for principal 'host/<a href="mailto:meson.hq.spinque.com@HQ.SPINQUE.COM" target="_blank">meson.hq.spinque.com@HQ.SPINQUE.COM</a>' stored in ccache 'FILE:/tmp/ <a href="http://krb5ccmachine_HQ.SPINQUE.COM" rel="noreferrer" target="_blank">krb5ccmachine_HQ.SPINQUE.COM</a>' rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ <a href="http://krb5ccmachine_HQ.SPINQUE.COM" rel="noreferrer" target="_blank">krb5ccmachine_HQ.SPINQUE.COM</a>' are good until 1439461246 rpc.gssd[3328]: using FILE:/tmp/<a href="http://krb5ccmachine_HQ.SPINQUE.COM" rel="noreferrer" target="_blank">krb5ccmachine_HQ.SPINQUE.COM</a> as credentials cache for machine creds rpc.gssd[3328]: using environment variable to select krb5 ccache FILE:/tmp/<a href="http://krb5ccmachine_HQ.SPINQUE.COM" rel="noreferrer" target="_blank">krb5ccmachine_HQ.SPINQUE.COM</a> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3328]: creating tcp client for server <a href="http://spinque03.hq.spinque.com" rel="noreferrer" target="_blank">spinque03.hq.spinque.com</a> rpc.gssd[3328]: DEBUG: port already set to 2049 rpc.gssd[3328]: creating context with server <a href="mailto:nfs@spinque03.hq.spinque.com" target="_blank">nfs@spinque03.hq.spinque.com</a> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= <a href="mailto:nfs@spinque03.hq.spinque.com" target="_blank">nfs@spinque03.hq.spinque.com</a> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3337]: process_krb5_upcall: service is '<null>' gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3337]: creating tcp client for server <a href="http://spinque03.hq.spinque.com" rel="noreferrer" target="_blank">spinque03.hq.spinque.com</a> rpc.gssd[3337]: DEBUG: port already set to 2049 rpc.gssd[3337]: creating context with server <a href="mailto:nfs@spinque03.hq.spinque.com" target="_blank">nfs@spinque03.hq.spinque.com</a> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= <a href="mailto:nfs@spinque03.hq.spinque.com" target="_blank">nfs@spinque03.hq.spinque.com</a> On 12 August 2015 at 02:46, Roberto Cornacchia < <a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>> wrote: Hi, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I am trying to use a Synology NAS station in my FreeIPA domain to host automounted home directories (not created automatically for now). I got almost everything working, but I seem to have a problem with kerberized nfs. The NAS logs in the LDAP domain and seems happy with the kerberos principal that I uploaded. * If I use plain nfs4 without krb5 - /etc/exports - /volume1/shared_homes <a href="http://192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)" rel="noreferrer" target="_blank">192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)</a> then I can mount it and use it (it even works with automount). But only using all_squash. Not useful: * If I use krb5 - /etc/exports - /volume1/shared_homes <a href="http://192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100)" rel="noreferrer" target="_blank">192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100)</a> then I can kinit with an LDAP user, mount it with sec=krb5, but I get "nobody" as file owner. This is done from a FC22 client, perfectly enrolled in freeIPA. The client's log contains several of such errors: gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Any tip to help me understand what the problem is? Roberto </blockquote> </blockquote> </blockquote></blockquote> -- <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- / Alexander Bokovoy </blockquote></blockquote> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- / Alexander Bokovoy </div></div></blockquote></div> </div>