Re: [Freeipa-users] HBAC rules for NFS

2016-07-01 Thread Joanna Delaporte 
Hi Alexander,

Thanks for the link. I read through it again, and I am still stuck on the
rpcgss service on the server...I don't know how to properly restart it. The
service in the documents is service nfs-secure-server enable (FC16), or
rpcsvcgssd.service (RH7), but I cannot enable using those.

I killed rpc.gssd process on the client and restarted manually with
rpc.gssd -vvv, which gave me more output. There is a flag set in
/etc/sysconfig/nfs which should have already been giving that output, but
it never took effect, even though I restarted nfs-server and
nfs-secure-server. What is the right way to restart rpcgssd.service and
rpcsvcgssd.service?

Anyway, after manually killing and executing rpc.gssd, the homedir
automounts with krb5p when I ssh to the machine (yay - first time!), but
the files are owned by nobody. I cannot access the files as the owner. The
UID of the file owner is low (between 500-1000), so I had to change the
user's UID just to be able to login (<1000 is blocked by PAM). Maybe the
fact that the user with a matching UID doesn't exist is causing a problem
in mapping the files' owner to a user? If so, how do I most efficiently map
the name of the file owner to the user with a different numerical UID? I
had hoped the kerberos auth might handle this for me.

The homedir does not mount when I su from root (not particularly a problem,
but it was muddling the issue). This clued me in: rpc.gssd[9928]: No key
table entry found for root/nfsclient.domain.tld.

Thank you!
Joanna

On Fri, Jul 1, 2016 at 3:59 PM, Alexander Bokovoy 
wrote:

> On Fri, 01 Jul 2016, Joanna Delaporte wrote:
>
>> I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
>> starting to wonder if I don't have HBAC rules set up correctly.  I
>> installed freeIPA with --no_hbac_allow.
>>
>> I have an HBAC service defined as an nfs service:
>> $ ipa hbacsvc-add --desc="NFS service" nfs
>>
>> I have an HBAC rule that allows all users to access all services on a
>> group
>> of hosts. My nfsclient is in that group.
>>
>> Is that enough to allow users rights to mount nfs shares? Do I need some
>> sort of HBAC between the nfsclient and the nfsserver?
>>
> HBAC is not involved at all for NFS use. Remember, HBAC checks are run
> by SSSD when it is called by PAM session setup. There is nothing like
> that for NFS mounts.
>
> Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ?
>
>
> --
> / Alexander Bokovoy
>



-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules for NFS

2016-07-01 Thread Alexander Bokovoy 

On Fri, 01 Jul 2016, Joanna Delaporte wrote:

I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
starting to wonder if I don't have HBAC rules set up correctly.  I
installed freeIPA with --no_hbac_allow.

I have an HBAC service defined as an nfs service:
$ ipa hbacsvc-add --desc="NFS service" nfs

I have an HBAC rule that allows all users to access all services on a group
of hosts. My nfsclient is in that group.

Is that enough to allow users rights to mount nfs shares? Do I need some
sort of HBAC between the nfsclient and the nfsserver?

HBAC is not involved at all for NFS use. Remember, HBAC checks are run
by SSSD when it is called by PAM session setup. There is nothing like
that for NFS mounts.

Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ?


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC rules for NFS

2016-07-01 Thread Joanna Delaporte 
I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
starting to wonder if I don't have HBAC rules set up correctly.  I
installed freeIPA with --no_hbac_allow.

I have an HBAC service defined as an nfs service:
$ ipa hbacsvc-add --desc="NFS service" nfs

I have an HBAC rule that allows all users to access all services on a group
of hosts. My nfsclient is in that group.

Is that enough to allow users rights to mount nfs shares? Do I need some
sort of HBAC between the nfsclient and the nfsserver?

Thanks! Joanna

-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project