[Freeipa-users] Kerberized NFS Mount Issues
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Sun Feb 16 23:10:58 UTC 2014
>You raise a good point regarding kinit - do I have to be kinit'ed in as anybody
>before trying to mount the share? I thought as the host and service principals
>are in the /etc/krb5.keytab I didn't need to specifically authenticate against
> the IPA server? - I might be showing a fundamental lack of knowledge on how
> this all works, so would be good if someone could confirm or clarify this.
The big feature of NFSv4 w/krb security is per-user authentication/authorization. NFSv4 with sec=sys (and all NFS <4) use host-based authorization. I'm pretty sure you should be able to mount the NFS export without 'kinit'ing, but I'm also pretty sure it should look empty (or even give you "permission denied" until you kinit to someone authorized to access it.
I see you "kinit"ed to "admin at EXAMPLE.LOCAL". If I'm not mistaken, this means that when you create files, NFS communicates the owner as "admin at example.local". Your idmappers are probably trying to translate this to a local account called "admin" whenever evaluating permissions. If nfs-client and nfs-server can both "getent passwd admin" successfully, then you're probably OK. Otherwise, sssd may need some work...
But that shouldn't interfere with just mounting the share. (I just checked on my little test setup.) My little test setup doesn't involve IPA, it's just a couple of fedora20 VMs with mit krb5 and an nfs server. I did google this: http://www.cs.indiana.edu/~robh/nfsv4+rhel6.html
Note the part about the campus windows AD admins setting the NO_AUTH_DATA_REQUIRED flag for the machine accounts in AD. Is preauth turned off for your nfs/nfs-client.... and nfs/nfs-server... principals? I fear I'm ignorant of how this is done in IPA.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
More information about the Freeipa-users
mailing list