Hi,

The redhat docs talk about the allow_delegation setting for ad-clients.
Setting this boolean on the server principal would allow the server to
forward your gssapi credentials to the nfs server on your behalf.
Thus authentication you to the nfs4 server allowing you to mount the
kerberized export.
However you said you did not use ad-ldap so I guess this does not apply to
you.

Rob

2017-06-26 7:58 GMT+02:00 Tony Brian Albers via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> Hi Rob,
>
> Not sure what the redhat docs describe, we're not using AD with this
> system.
>
> It seems somehow that GSSAPI does not forward the kerberos ticket obtained
> on the client machine correctly, when I connect to the machine I want to
> work on, it just says that the ticket has expired.
>
> I'm still trying a few things, I'll post to the list when I've got
> something new.
>
> /tony
>
>
> On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
> > If you are using gss-api and using putty to log in.
> > Did you do the thing metioned in 5.3.4.5
> > https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Windows_Integration_Guide/
> trust-managing.html#kerberos-flags-services-hosts
> > also see
> > https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/kerberos-for-entries.html#kerberos-flags-services-hosts
> >
> > Rob
> >
> > 2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.
> fedorahosted.org>>:
> >
> >     Hi guys,
> >
> >     We have a setup where the FreeIPA server also hosts the user's
> homedirs. These are shared via NFSv4 and are automounted when a user logs
> in.
> >
> >     [root@adm-001 ~]# cat /etc/exports
> >     /data/home      172.16.216.0/24(rw,no_root_
> squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) <http://172.16.216.0/24%28rw,
> no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29>
> >
> >     [root@adm-001 ~]# ipa automountkey-show
> >     Location: default
> >     Map: auto.home
> >     Key: *
> >       Key: *
> >       Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard
> adm-001.domain:/data/home/&
> >
> >
> >     While normal ssh logins work (you ssh to the client and put in your
> password), passwordless ssh does not work. It's obvious that passwordless
> logins do not activate the kerberos ticket function, but that results in
> the users being unable to read their own files in their homedirs.
> >
> >     For now we ask users to not do passwordless login, but could we make
> the latter work?
> >
> >     TIA,
> >
> >     /tony
> >
> >
> >     --
> >     Tony Albers
> >     Systems administrator, IT-development
> >     Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> >     Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316
> <tel:%2B45%208946%202316>
> >     _______________________________________________
> >     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> >     To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org <mailto:freeipa-users-le...@lists.fedorahosted.org>
> >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> >
>
>
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to