[Freeipa-users] HBAC rules for NFS

Joanna Delaporte joannadelaporte at gmail.com
Fri Jul 1 22:07:52 UTC 2016 

Hi Alexander,

Thanks for the link. I read through it again, and I am still stuck on the
rpcgss service on the server...I don't know how to properly restart it. The
service in the documents is service nfs-secure-server enable (FC16), or
rpcsvcgssd.service (RH7), but I cannot enable using those.

I killed rpc.gssd process on the client and restarted manually with
rpc.gssd -vvv, which gave me more output. There is a flag set in
/etc/sysconfig/nfs which should have already been giving that output, but
it never took effect, even though I restarted nfs-server and
nfs-secure-server. What is the right way to restart rpcgssd.service and
rpcsvcgssd.service?

Anyway, after manually killing and executing rpc.gssd, the homedir
automounts with krb5p when I ssh to the machine (yay - first time!), but
the files are owned by nobody. I cannot access the files as the owner. The
UID of the file owner is low (between 500-1000), so I had to change the
user's UID just to be able to login (<1000 is blocked by PAM). Maybe the
fact that the user with a matching UID doesn't exist is causing a problem
in mapping the files' owner to a user? If so, how do I most efficiently map
the name of the file owner to the user with a different numerical UID? I
had hoped the kerberos auth might handle this for me.

The homedir does not mount when I su from root (not particularly a problem,
but it was muddling the issue). This clued me in: rpc.gssd[9928]: No key
table entry found for root/nfsclient.domain.tld.

Thank you!
Joanna

On Fri, Jul 1, 2016 at 3:59 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Fri, 01 Jul 2016, Joanna Delaporte wrote:
>
>> I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
>> starting to wonder if I don't have HBAC rules set up correctly.  I
>> installed freeIPA with --no_hbac_allow.
>>
>> I have an HBAC service defined as an nfs service:
>> $ ipa hbacsvc-add --desc="NFS service" nfs
>>
>> I have an HBAC rule that allows all users to access all services on a
>> group
>> of hosts. My nfsclient is in that group.
>>
>> Is that enough to allow users rights to mount nfs shares? Do I need some
>> sort of HBAC between the nfsclient and the nfsserver?
>>
> HBAC is not involved at all for NFS use. Remember, HBAC checks are run
> by SSSD when it is called by PAM session setup. There is nothing like
> that for NFS mounts.
>
> Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ?
>
>
> --
> / Alexander Bokovoy
>



-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelaporte at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160701/f76df174/attachment.htm>

More information about the Freeipa-users mailing list