On 11/30/2017 03:11 PM, Simo Sorce wrote:
The reason why NFS wants to authenticate you, is to know what uig/gid
it should assign to your user (on the server) to access files. So
creating a user is not necessarily a bad idea...


Naturally.  I think I understand the "why" part of krb5 NFS authentication, but I'm trying to figure out how to allow access from system accounts, where creating a new user and changing the UID for an existing process would mean changing permissions on the local filesystems in addition to the NFS filesystems.

However in some NFS servers you may be able to create mappings from
principals to local users. In that case you can use a SPN (Service
Principal Name) and associated keytab to gain access.

In freeipa only users can have a 1 component principal such as "daemon@
DOMAIN" normally. If you really just want to use a service I would
first explore the possibility of mapping "daemon/hosts.f.q.d.n@REALM"
to a user on the NFS server and then just create a normal service and
get a keytab for in in IPA.


That looks like it's probably what I'm after, though I can't get it to actually work.  On the NFS server, I've set '[Translation] Method = nsswitch,static' and set '[Static] daemon/f.q.d.n@REALM = daemon'.  With verbosity set to an arbitrary large value, I see what appears to be activity mapping numeric UID and GIDs to names, but never the reverse.  There is no logged activity mapping a name to a UID, and the process which has the 'daemon/f.q.d.n@REALM' ticket gets access as the nfsnobody account.  (It had no permission of any kind with no ticket.)  It may be good enough to provide a ticket and no mapping, since I want it to access globally readable files, and the nfsnobody user can do that, but I would like to understand the mapping feature better than I do. I'm doing something wrong, but I'm not sure what.  That seems like a question better suited for another list, though.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to