Hello everyone!

I am trying to setup an NFS export with sec=krb5p on one machine and
make it accessible to a system user ('git' in this case) on another. I'd
like to put GitLab backups on my ZFS array via NFS, to be more specific.

All machines in my little homelab are based on CentOS 7.3.1611 and I use
two replicated FreeIPA servers with what I believe to be the latest
release available on CentOS: 4.4.0. Both the storage server and the
GitLab server are enrolled hosts in my realm.

After enrolling both machines with ipa-client-install and installing
@File\ and\ Storage\ Server on one and @Network\ File\ System\ Client on
the other, I ran ipa-client-automount on both, as I read somewhere that
it sets up neccessary configuration files for identity mapping?

I also found a thread on this mailinglist, about a usecase of Apache
accessing a /var/www directory via kerberized NFS. I believe my usecase
is very similar and I feel like I am very close to a solution. But I
just don't understand where things go wrong:

In this particular case the 'git' user on both machines has different
UIDs. It was created during the installation of GitLab on the client but
the UID was already occupied by 'softhsm private keys owner' on the
server. Thus I created a system user manually, which has a different UID
though. For the sake of troubleshooting I also tried all the following
steps with the Apache user, which has UID 48 on both machines - the
result was the same.

As this is not an actual user in my realm, I first created a service
principal of the form git/$HOSTNAME@REALM (or apache/... for that
matter). I then used ipa-getkeytab to create a keytab in
/var/lib/gssproxy/clients/$UID.keytab for gssproxy to find. That worked
nicely as in: The user automagically got access to the mounted NFS share
while a krb5cc_$UID was created in the directory mentioned above. After
switching users with su, I can navigate through the mount - as long as
all the folders have 755 permissions. A folder with 700 permissions and
owner 'git' is correctly displayed as being owned by 'git' on the client
- yet I cannot access it! When I create a file or folder in a folder
with public permissions (777), the owner of the newly created file is

I also tried setting up a static mapping in /etc/idmapd.conf on both the
server and client: mapping the service principal to user 'git'. The
effect was the client displaying the folder being owned by 'nobody' -

Doing all the above steps with an actual user in the realm works fine.
Either with the automagic method through gssproxy or by getting a ticket
with kinit first: I can access a folder with 700 permissions and files
are created with the correct owner, etc.

Is there any critical step that I missed? I feel like I am very close ..
I'd be thankful for any hints.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to