> On 3 Oct 2023, at 11:50, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >> >> >>> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users >>> wrote: >>>> Hi, >>>> >>>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 >>>> shares with kerberos? >>>> >>>> I manage to mount the shares, the folder seems to have the right >>>> permissions, but I get permission denied when trying to access the folder. >>>> >>>> I am trying from a Fedora 37 client. >>>> >>>> As this is potentially off-topic, I’d be glad to take the discussion >>>> off-list. >>>> >>> >>> That's a very interesting subject. Just today we started looking at the >>> same thing. >>> I have no idea yet how to do this, so I too would like to know if somebody >>> has succeeded to set this up. >>> -- >>> Kees >> >> Great! If it is ok with you, please keep in touch to share how/what you >> accomplish. >> >> Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem >> a few versions ago where the tickets wouldn’t be renewed. It is fixed >> now. So users and groups work. >> >> The issue with TrueNAS, as I see it, is the idmapd configuration. >> >> But I think we start to be very off topic, so don’t hesitate to mail me >> directly if you want to discuss this. > > I think it can be discussed here, no problem.
Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it. > My understanding is that TrueNAS Scale uses Debian as its base. It also > uses Samba components for both client (users/groups identities) > integration and server (SMB shares) integration. For SMB-related > configuration one can have a pretty decent setup with Samba-driven > identity management, so you can define idmap ranges, plugins, etc. > > For NFS case, I don't see them defining any idmapd config. If winbindd > is in use already and those users/groups are provided through nsswitch, > then default idmapd.conf configuration should work just fine because > it'll do UID <-> kerberos principal name translation using nsswitch. One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody. But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail. Best, Francis
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue