On Аўт, 18 чэр 2024, Yossi Hayat via FreeIPA-users wrote:
Hi,
To centrally manage all credentials from Active Directory, we
configured FreeIPA integration with Active Directory to authenticate
users to IPA-joined Linux machines via SSSD using AD credentials.
The Linux machines have NFS shares mounted on their local filesystems
which we use to work in a sharable way. We have configured FreeIPA "ID
Views" for each user to override the AD-originating generic UID and GID
with shorter UID and GID values. This is to preserve IPA-authenticated
users' NFS permissions that were inherited from the previous Linux
directory management system (NIS) we used and for simplicity.
When working locally or remotely (SSH/VNC) on the Linux machines,
everything is working as expected with no issues.
Our problem is with SMB - We need to share the NFS shares over SMB for
direct File Explorer access for Windows users. For this purpose, we
have an Ubuntu machine we use as an SMB server. The server is joined
to IPA as a client and has all NFS shares mounted locally on its
filesystem.
The ideal way is to somehow configure SMB to forward authentication to
IPA (as it was a local/SSH authentication to the server) and map the ID
views user and group IDs to preserve permissions. We searched all over
the internet and didn't find a working solution for this use case.
Is this supported? If yes, how can this be implemented?
Re-exporting NFS via SMB is not supported.
For normal SMB shares of a non-network disk content, if you set things
up as described in [1], access to those shares will be supported from
Linux systems enrolled into IPA domain. For access from Windows systems
there is currently no support: some operations might work but any
attempt to resolve user/group identities and configure permissions from
Windows clients will not work/might fail.
[1]
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
