On 11/30/2017 03:11 PM, Simo Sorce wrote:
The reason why NFS wants to authenticate you, is to know what uig/gid
it should assign to your user (on the server) to access files. So
creating a user is not necessarily a bad idea...
Naturally. I think I understand the "why" part of krb5 NFS
authentication, but I'm trying to figure out how to allow access from
system accounts, where creating a new user and changing the UID for an
existing process would mean changing permissions on the local
filesystems in addition to the NFS filesystems.
However in some NFS servers you may be able to create mappings from
principals to local users. In that case you can use a SPN (Service
Principal Name) and associated keytab to gain access.
In freeipa only users can have a 1 component principal such as "daemon@
DOMAIN" normally. If you really just want to use a service I would
first explore the possibility of mapping "daemon/hosts.f.q.d.n@REALM"
to a user on the NFS server and then just create a normal service and
get a keytab for in in IPA.
That looks like it's probably what I'm after, though I can't get it to
actually work. On the NFS server, I've set '[Translation] Method =
nsswitch,static' and set '[Static] daemon/f.q.d.n@REALM = daemon'. With
verbosity set to an arbitrary large value, I see what appears to be
activity mapping numeric UID and GIDs to names, but never the reverse.
There is no logged activity mapping a name to a UID, and the process
which has the 'daemon/f.q.d.n@REALM' ticket gets access as the nfsnobody
account. (It had no permission of any kind with no ticket.) It may be
good enough to provide a ticket and no mapping, since I want it to
access globally readable files, and the nfsnobody user can do that, but
I would like to understand the mapping feature better than I do. I'm
doing something wrong, but I'm not sure what. That seems like a
question better suited for another list, though.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org