Sami Hulkko via FreeIPA-users wrote: > If one will: > > service-add nfs/<nfs server host> > > ipa service-add-host --hosts=<nfs server host> nfs/<nfs server host> > > Install certificate for the nfs service: > > Create group certadmin and add Certificate Administrators privilege to > it for certmonger to work. > > role-add-member --hosts=<nfs server host> certadmin > > and it has certificate. > > ipa service-mod nfs/<host name> --pac-type=none > > pac type NONE was recommended for NFS in: ipa help service -documentation > > And after that ipa-client automount - works!
A couple of comments. Only the NFS server would need an nfs principal, at best. NFS will try to use the "nfs" service first and fall back to "host" if it isn't available, so really neither is necessary. Certificates are unrelated to NFS security with krb5*. So also doesn't need to be in a particular role. A mount happens as the user. In your original testing I wonder if you had a user Kerberos ticket. I'm guessing not. Regardless, glad you have a working setup. rob > > SH > > On 04/09/2022 14:41, Sami Hulkko via FreeIPA-users wrote: >> What I can dig from log: >> >> kern.log >> >> Sep 4 14:37:14 mail kernel: [ 8464.142473] show_signal_msg: 2 >> callbacks suppressed >> Sep 4 14:37:14 mail kernel: [ 8464.142477] automount[14581]: segfault >> at 7f248f9492b0 ip 00007f248f9492b0 sp 00007f248e8b5128 error 14 in >> mount_nfs.so[7f248f94f000+2000] >> Sep 4 14:37:14 mail kernel: [ 8464.142489] Code: Unable to access >> opcode bytes at RIP 0x7f248f949286. >> Sep 4 14:38:13 mail kernel: [ 8523.353118] automount[14600]: segfault >> at 7fbb8e8d52b0 ip 00007fbb8e8d52b0 sp 00007fbb8d841128 error 14 in >> mount_nfs.so[7fbb8e8db000+2000] >> Sep 4 14:38:13 mail kernel: [ 8523.353132] Code: Unable to access >> opcode bytes at RIP 0x7fbb8e8d5286. >> >> Seems to be segfault. >> >> SH >> >> On 04/09/2022 09:51, Sami Hulkko via FreeIPA-users wrote: >>> Hi, >>> >>> I lately have tried to get the autofs working with bit of trouble. I >>> have a following setup: >>> >>> ipa-autofs: >>> >>> default >>> >>> - auto.master >>> >>> - <mount point at client> auto.home >>> >>> - auto.home >>> >>> -* <path on server>/& >>> >>> nfs-server: >>> >>> <path to share> gss/krb5i(rw,sync,no_subtree_check,no_root_squash) >>> >>> ipa: >>> >>> service nfs/<server fqdn> >>> >>> service nfs/<client fqdn> >>> >>> and copied to server/client >>> >>> all services running and if I (root): ls /<mountpoint of homes>/<user >>> home folder> >>> >>> it should mount but instead I get: >>> >>> SSSD: >>> >>> Sep 04 09:25:11 <host> krb5_child[41263]: Preauthentication failed >>> >>> AUTOFS: >>> >>> >> mount.nfs: access denied by server while mounting <path> >>> >>> >>> On /var/log/sssd/krb5_child.log i get this: >>> >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [become_user] >>> (0x0200): [RID#28] Trying to become user [925800000][925800000]. >>> >>> This is admin user at IPA. Not the user who's home folder we tried to >>> 'ls' >>> >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x2000): >>> [RID#28] Running as [925800000][925800000]. >>> * (2022-09-04 9:25:23): [krb5_child[41266]] >>> [set_lifetime_options] (0x0100): [RID#28] No specific renewable >>> lifetime requested. >>> * (2022-09-04 9:25:23): [krb5_child[41266]] >>> [set_lifetime_options] (0x0100): [RID#28] No specific lifetime >>> requested. >>> * (2022-09-04 9:25:23): [krb5_child[41266]] >>> [set_canonicalize_option] (0x0100): [RID#28] Canonicalization is set >>> to [true] >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x0400): >>> [RID#28] Will perform auth >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x0400): >>> [RID#28] Will perform online auth >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [tgt_req_child] >>> (0x1000): [RID#28] Attempting to get a TGT >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [get_and_save_tgt] >>> (0x0400): [RID#28] Attempting kinit for realm [<REALM>] >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [sss_krb5_responder] >>> (0x4000): [RID#28] Got question [password]. >>> >>> Is asking admin password for kerberos5 ticket and fails. >>> >>> * (2022-09-04 9:25:23): [krb5_child[41266]] [get_and_save_tgt] >>> (0x0020): [RID#28] 1725: [-1765328360][Preauthentication failed] >>> >>> How would one go about this? >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
