Hi Kevin, Thanks for sharing this.
My configuration is virtually identical. The differences: - I set LDAP encryption to «on» - I don’t validate certificates here. I do use one on the idmap configuration - I also add `map passwd loginShell loginShell` to the Auxiliary Parameters of the LDAP configuration - I have also «forwardable = yes» on my Kerberos configuration, in addition to what you have I have also host/ and an nfs/ keytab. On my configuration, it was a host/ that was used, but I chose the nfs now, but it’s really not different. I mount the directory, get the right permissions (sometimes), but when I access the folder, it fails: `drwx------. 5 francis francis 14 Oct 1 20:03 test ` I changed back to LDAP for idmap, though I think Alexander Bokovoy is right, this could be NSS as well. But I don’t think I am having mapping errors here. I wonder what could be wrong. Best, Francis > On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > I actually did this recently. > > Full working settings configuration in TrueNAS Scale. You will need to create > a BIND account which I used "svcbind". The Aux Parameters are extremely > important otherwise your groups won't work correctly. > > Directory Services > 1. Hostname: ipa.site.example.com <http://ipa.site.example.com/> > 2. Base DN: dc=site,dc=example,dc=com > 3. Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com > 4. Bind Password: <XXXXX> > 5. Kerberos Realm: SITE.EXAMPLE.COM <http://site.example.com/> > 6. Kerberos Principal: nfs/xxxx.site.example....@site.example.com > <mailto:xxxx.site.example....@site.example.com> > 7. LDAP Timeout: 10 > 8. DNS Timeout: 10 > 9. Enable: [ x ] > 10. Auxiliary Parameters > ``` > base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com > base group cn=groups,cn=accounts,dc=site,dc=example,dc=com > ``` > 11. encryption Mode: off > 12. Schema: RFC2307BIS > 13. Validate Certificates: [x] > > 1. Advanced Settings > 1. Idmap > 1. Idmap Backend: LDAP > 2. DNS Domain Name: site.example.com <http://site.example.com/> > 3. Range Low: 100000001 > 4. Range High: 2000000000 > 5. Base DN: dc=site,dc=example,dc=com > 6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com > 7. LDAP User DN Password: <XXXXX> > 8. URL: ipa.site.example.com <http://ipa.site.example.com/> > 2. Kerberos Realms > 1. Realm: SITE.EXAMPLE.COM <http://site.example.com/> > 2. KDC: ipa.site.example.com <http://ipa.site.example.com/> > 3. Admin Servers: ipa.site.example.com <http://ipa.site.example.com/> > 3. Kerberos Settings: > 1. Libdefaults Auxiliary Parameters > ``` > default_realm = SITE.EXAMPLE.COM <http://site.example.com/> > dns_lookup_kdc = true > allow_weak_crypto = true > 4. Kerberos KeyTab > 1. Name: xxxx.site.example.com.keytab > 2. Add IPA Host > 1. `ipa host-add nas-server.site.example.com > <http://nas-server.site.example.com/> --ip-address 10.75.37.2` > 3. Add service > 1. `ipa service-add NFS/emc-nas-server.site.example....@site.example.com > <mailto:emc-nas-server.site.example....@site.example.com> > 4. Generate Keytab > 1. `ipa-getkeytab -s ipaserver.example.com <http://ipaserver.example.com/> > -p nfs/emc-nas-server.site.example.com > <http://emc-nas-server.site.example.com/> -k /tmp/emc-nas-server.keytab` > 5. Upload to TrueNAS > > I'm not sure of the idmap settings if they are actually useful but everything > worked even though we have overlapping IDs (which TrueNas Scale complains > about). > > Helpful Link: > https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity > > On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via > FreeIPA-users <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> >>> On 3 Oct 2023, at 11:50, Alexander Bokovoy <aboko...@redhat.com >>> <mailto:aboko...@redhat.com>> wrote: >>> >>> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users >>> wrote: >>>> >>>> >>>>> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users >>>>> <freeipa-users@lists.fedorahosted.org >>>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >>>>> >>>>> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users >>>>> wrote: >>>>>> Hi, >>>>>> >>>>>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 >>>>>> shares with kerberos? >>>>>> >>>>>> I manage to mount the shares, the folder seems to have the right >>>>>> permissions, but I get permission denied when trying to access the >>>>>> folder. >>>>>> >>>>>> I am trying from a Fedora 37 client. >>>>>> >>>>>> As this is potentially off-topic, I’d be glad to take the discussion >>>>>> off-list. >>>>>> >>>>> >>>>> That's a very interesting subject. Just today we started looking at the >>>>> same thing. >>>>> I have no idea yet how to do this, so I too would like to know if >>>>> somebody has succeeded to set this up. >>>>> -- >>>>> Kees >>>> >>>> Great! If it is ok with you, please keep in touch to share how/what you >>>> accomplish. >>>> >>>> Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem >>>> a few versions ago where the tickets wouldn’t be renewed. It is fixed >>>> now. So users and groups work. >>>> >>>> The issue with TrueNAS, as I see it, is the idmapd configuration. >>>> >>>> But I think we start to be very off topic, so don’t hesitate to mail me >>>> directly if you want to discuss this. >>> >>> I think it can be discussed here, no problem. >> >> Thank you, I really appreciate this, since this is a thing I’ve been working >> on for quite sometime, so it is really nice to have other eyes on it. >> >>> My understanding is that TrueNAS Scale uses Debian as its base. It also >>> uses Samba components for both client (users/groups identities) >>> integration and server (SMB shares) integration. For SMB-related >>> configuration one can have a pretty decent setup with Samba-driven >>> identity management, so you can define idmap ranges, plugins, etc. >>> >>> For NFS case, I don't see them defining any idmapd config. If winbindd >>> is in use already and those users/groups are provided through nsswitch, >>> then default idmapd.conf configuration should work just fine because >>> it'll do UID <-> kerberos principal name translation using nsswitch. >> >> One of my pproblems is that I have a realm which is IPA.LOCAL. But my >> machines are machine.local. I believe that in such situations I need to >> define the Local-Realms attribute of the idmapd.conf, but that isn’t >> possible on the gui. So what happens is that when I change that on the >> /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still >> can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS >> gets overwritten and my permissions get messes up again, and then the >> folders are owned by nobody:nobody. >> >> But even when the permissions are right, I still can’t access the folder. I >> think it might be the ACL on TrueNAS side, but I tried with all types of ACL >> to no avail. >> >> Best, >> >> Francis >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
