[Freeipa-users] Freeipa-users Digest, Vol 90, Issue 9

Rob Crittenden rcritten at redhat.com
Tue Jan 5 21:49:19 UTC 2016 

BlueBolt wrote:
> Wow, that's fairly horrifying stuff, Rob.  All of my NFS servers (and
> current ldap-auth'd clients, which are not migrated to ipa-client) are
> constrained to nfs3.  I have no plans to v4 any of my nfs infrastructure
> apart from one server eventually which will serve mostly Macs for acl
> richness.  At any rate:
> 
> "To use GSS-Proxy with the NFS server you need a recent enough kernel.
> Anything more recent than 3.10 should work just fine."
> 
> Servers are CentOS6 and Nexenta where they'll remain for the foreseeable
> future.
> 
> Surely this is anticipated somewhere in the ipa/sssd universe allowing
> autofs to act in some autonomous way as it does currently with ldap backend?

I think you're confusing things. This doesn't remove any existing
behavior. You can still use ldap auth against autofs if you want, and
that is the default in ipa-client-automount using the host credentials.

But that isn't what you originally asked about. You asked about the
mounts themselves requiring Kerberos security. If you want want Kerberos
in the NFS mounts there is more pain in EL 6 than in EL 7. The typical
workaround is to use a keytab.

We can only move the earth so much at a time.

rob

> 
> thank you,
> 
> - cal sawyer
> 
> Date: Mon, 4 Jan 2016 14:07:40 -0500
>> From: Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
>> To: Cal Sawyer <cal-s at blue-bolt.com <mailto:cal-s at blue-bolt.com>>,
>> freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] IPA, autofs, kerberos
>> Message-ID: <568AC2FC.6080807 at redhat.com
>> <mailto:568AC2FC.6080807 at redhat.com>>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Cal Sawyer wrote:
>>> Hi
>>>
>>> After getting autofs working using automountmaps in IPA, i've discovered
>>> that upon rebooting a client i have no automounts.  If i ssh into the
>>> client and obtain a ticket as admin, after restarting autofs (as root),
>>> I can once again see access automounted directories.  Until then, user
>>> logins which depend on network home mount consistently fail
>>>
>>> Question is, how can this be made automatic on reboot?
>>
>> Credentials are needed to do the mounts so it depends on what
>> credentials you want/need to use for that. What mounts are these that
>> require Kerberos, home directories or something else?
>>
>> GSS-Proxy can do this unattended,
>> https://fedorahosted.org/gss-proxy/wiki/NFS
>>
>> rob
> 
>

More information about the Freeipa-users mailing list