[Freeipa-users] IPA+AD trust and NFS nobody issue
Johan Petersson
Johan.Petersson at sscspace.com
Wed Jun 4 10:02:03 UTC 2014
Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client
NFS with automounted krb5p Home Directories work for IPA users.
sssd-1.11.2-65.el7.x86_64
id adtest at AD.HOME
uid=497801107(adtest at ad.home) gid=497801107(adtest at ad.home) groups=497801107(adtest at ad.home),497800513(domain users at ad.home)
getent passwd adtest at AD.HOME
adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest:
klist after kinit adtest at AD.HOME
[root at client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adtest at AD.HOME
Valid starting Expires Service principal
06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME
renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
klist after ssh adtest at AD.HOME@ipa.linux.home
klist
Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
Default principal: adtest at AD.HOME
Valid starting Expires Service principal
06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME
renew until 06/05/14 11:28:30
06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME
renew until 06/05/14 11:28:30
06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME
renew until 06/05/14 11:28:30
Home Directory gets mounted by autofs through sssd but user:group is both nobody.
The Client's sssd.conf:
[domain/linux.home]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.home
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.linux.home
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.linux.home
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
subdomains_provider = ipa
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2
domains = linux.home
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, June 03, 2014 6:48 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On 06/03/2014 09:07 AM, Johan Petersson wrote:
Hi,
Environment:
RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
RHEL 7 NFS Server
RHEL 7 Client
I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with adtest at adexample.org<mailto:adtest at adexample.org>
The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner.
Are those computers RHEL7 NFS clients with SSSD?
Can you describe them in more details please?
Groups are no problem since AD groups can be mapped to Posix groups.
Idmap.conf domain is set to the IPA Domain.
Is there some way to get NFS working with the AD user as owner of his Home Directory?
Thanks for any help.
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying or
disseminating it or any information in it. Please notify the above if any misdirection.
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140604/b8a332c0/attachment.htm>
More information about the Freeipa-users
mailing list