[Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs

Daniel Shown shownde at slu.edu
Mon Aug 11 18:54:39 UTC 2014 

grumble grumble.

Do you know a bug ID or something similar i can search on? FWIW, FreeIPA
server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a
fix easier. :/

d:s

===================================
*Daniel Shown,*
Linux Systems Administrator
Advanced Technology Group
Information Technology Services <http://www.slu.edu/its>
at Saint Louis University <http://www.slu.edu/>.

314-977-2583
===================================

"The aim of education
is the knowledge,
not of facts,
but of values."
— William S. Burroughs

"I’m supposed to be
a scientific person
but  I use intuition
more than logic
in making basic
decisions."
— Seymour R. Cray




On Mon, Aug 11, 2014 at 1:51 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Mon, 11 Aug 2014, Daniel Shown wrote:
>
>> I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve
>> got
>> users in FreeIPA that match a subset of users in AD. The NFS server is a
>> FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in
>> nsswitch for providing uids. I use setfacl there with just the uid. The
>> FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04
>> bound
>> to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0
>> server configured with a trust with an AD domain. My krb5.conf has
>> dns_lookup_kdc
>> = true and auth_to_local = RULE:[1:$1@
>> $0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the
>> standard subdomains_provider = ipa and services = ..., pac along with
>> a full_name_format
>> = %1$s to strip the realm name off when displaying the username. From what
>> I understand about NFS ACLs, they should respect the uid reported, which
>> matches, and ignore uidnumbers (which don’t match). From the FreeIPA
>> client
>> I can authenticate as an AD user, but I still don’t have access to the NFS
>> directory with ACLs that should allow me to read. When I do an getfacl on
>> the NFS server I get just the uid, but when I do nfs4_getfacl on the
>> FreeIPA/NFS client I get uid at ipa.realm (and no access to the directory).
>>
>> Am I missing something?
>>
> There is a bug in NFS ID mapping code that prevents this use case from
> working. It should be fixed in recent libnsfidmap releases but I'm not
> sure it is already available in CentOS 6.5.
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140811/16c42285/attachment.htm>

More information about the Freeipa-users mailing list