[Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs

[Alexander Bokovoy]

On Mon, 11 Aug 2014, Daniel Shown wrote:
>I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got
>users in FreeIPA that match a subset of users in AD. The NFS server is a
>FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in
>nsswitch for providing uids. I use setfacl there with just the uid. The
>FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound
>to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0
>server configured with a trust with an AD domain. My krb5.conf has
>dns_lookup_kdc
>= true and auth_to_local = RULE:[1:$1@
>$0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the
>standard subdomains_provider = ipa and services = ..., pac along with
>a full_name_format
>= %1$s to strip the realm name off when displaying the username. From what
>I understand about NFS ACLs, they should respect the uid reported, which
>matches, and ignore uidnumbers (which don’t match). From the FreeIPA client
>I can authenticate as an AD user, but I still don’t have access to the NFS
>directory with ACLs that should allow me to read. When I do an getfacl on
>the NFS server I get just the uid, but when I do nfs4_getfacl on the
>FreeIPA/NFS client I get uid at ipa.realm (and no access to the directory).
>
>Am I missing something?
There is a bug in NFS ID mapping code that prevents this use case from
working. It should be fixed in recent libnsfidmap releases but I'm not
sure it is already available in CentOS 6.5.
-- 
/ Alexander Bokovoy