[Freeipa-users] issues with nfs4 privileges.

Rob Verduijn rob.verduijn at gmail.com
Fri Jun 20 16:02:17 UTC 2014 

Hello,

I'm a bit at loss with my freeipa kerberized nfs4 shares.

the nfs4 shares mount fine and users can read and write their files.
However pulse audio does not work properly, and some programs fail to start.
When logging in with a local account using a local homedrive
pulseaudio works, and the programs also work.
Also oddjob is not capable of creating a home dir for a new user.

root is not allowed to write in the home mount on the client (mkdir
test and touch test get a Permission denied)

I don't think its selinux, because setenforce 0 on the nfs-server and
setenforce 0 on the nfs client did not help.

freeipa policies seem to be working fine, sudo rules are applied the
way I expect them.
Logging in on all the machines works, automounting works like a charm,
except for the situations described above.

server details are below

Anybody who can tell me what I've missed ?
Rob

the freeipa server is a dedicated fedora20 x86_64 machine with the
latest updates applied

the nfs-server is a fedora20 x86_64 machine with the latest updates applied

these booleans have been applied on the nfs server
nfs_export_all_ro --> on
nfs_export_all_rw --> on

The exports are :
/exports *(rw,no_root_squash,crossmnt,fsid=0,sec=krb5p)
/exports/homes *(rw,no_root_squash,no_subtree_check,sec=krb5p)

/exports/homes is a bind mount from :
/data3/homes

selinux contexts of the dirs:
ls -dalsZ /data3/homes
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /data3/homes
ls -dalsZ /exports/homes
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /exports/homes

/exportes/homes is automounted by systemd using this unit file:
cat /etc/systemd/system/exports-homes.automount
[Unit]
Description=/exports/homes Directory Automount Point
Wants=network.target statd.service
After=network.target statd.service
[Automount]
Where=/exports/homes

                                   [Install]
WantedBy=multi-user.target

and the matching unit mount:
cat /etc/systemd/system/exports-homes.mount
[Unit]
Description=Exports Homes Directory
Wants=network.target statd.service
After=network.target statd.service
[Mount]
What=/data3/homes
Where=/exports/homes
Type=none
Options=bind
DirectoryMode=0755

the nfs client is a fedora20 x86_64 machine with al the latest patches applied
This boolean has been set:
use_nfs_home_dirs --> on

ls -dalsZ /home/
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /home/

the home folder is automounted by systemd using this unit file :
cat /etc/systemd/system/home.automount
[Unit]
Description=Home Directory Automount Point
Wants=network.target statd.service
After=network.target statd.service
[Automount]
Where=/home
[Install]
WantedBy=multi-user.target

and the matching unit mount
cat /etc/systemd/system/home.mount
[Unit]
Description=Home Directory
Wants=network.target statd.service
After=network.target statd.service
[Mount]
What=172.16.1.1:/homes
Where=/home
Type=nfs4
Options=timeo=14,noatime,timeo=14,soft,sec=krb5p,context=system_u:object_r:user_home_t:s0
DirectoryMode=0750

More information about the Freeipa-users mailing list