On Tue, June 28, 2011 20:14, Natxo Asenjo wrote:
> On Tue, Jun 28, 2011 at 6:35 PM, Sigbjorn Lie <sigbj...@nixtra.com> wrote:
>> In my NexentaStor configuration, the NFS service is using FreeIPA 
>> (nss_ldap+krb5), and the CIFS
>>  service is using Active Directory (nss_ad) for user authentication.
> that is awesome! Could you write an instruction of how you did that?
> Next month a big server with plenty of disks will be decommissioned
> and I want to take a look at nexentastor, and kerberos would be a big plus.

Sorry for the late reply, I've been away travelling, and this email required 
more than 2 minutes
to write. :)

Making NexentaStor speak to AD and LDAP/IPA is easy, adding krb5 for NFS is a 
bit more tricky.

First part: CIFS + NFS no-kerberos:

Configure the CIFS service to join to AD, and configure the LDAP client to 
point at IPA. Use the
following configuration for LDAP,

REMEBER to edit /etc/nsswitch.ldap before applying LDAP configuration. Failing 
to do so will
freeze NexentaStor as all services will be configured to use LDAP, and maps 
such as protocols and
service is not served by IPA. You'll do this in a shell using expert_mode in 
the NMC. The only
maps in /etc/nsswitch.ldap that should be configured for ldap lookup is passwd, 
group, and

Make the following changes under Settings -> Misc Services -> LDAP client -> 
LDAP config type: manual
Profile name: <none>
Groups Service Descriptor: cn=groups,cn=compat,dc=ix,dc=test,dc=com
Netgroup Service Descriptor: cn=ng,cn=compat,dc=ix,dc=test,dc=com
Credential Level: anonymous
Domain name: <none>
Base DN: dc=ix,dc=test,dc=com
LDAP Authentication password: <none>
LDAP Servers: ipa01.ix.test.com, ipa02.ix.test.com
Authentication Method: none
Proxy DN: <none>
Proxy Password: <none>
Users Service Descriptor: cn=users,cn=compat,dc=ix,dc=test,dc=com

In a shell using expert_mode, edit the nsswitch.conf as the following:
passwd:   files ldap ad
group:    files ldap ad

This will make Nexenta look for Unix accounts and ground in IPA first, before 
looking up the rest
from Active Directory.

Second part, adding kerberos to NF4: NFS + KRB5:
After the server has been joined to AD, scp the /etc/krb5/krb5.keytab file from 
the NexentaStor
server to the IPA server. Add a host entry for the NexentaStor server to IPA, 
and retrieve the
kerberos keytab and add them to the krb5.keytab file copied from the 
NexentaStor machine. This is
required as the NFS service and the CIFS service share the same krb5.keytab 

$ ipa-getkeytab -s ipa-server -p nexentastorserver.fqdn -k 

scp the modified krb5.keytab file back into the NexentaStor server at 

Edit /etc/nsswitch.conf again, make sure "ad" is still present for passwd and 
group, if not, add
it back in.

Remove /etc/krb5/krb5.conf,v (bug in NexentaStor makes this file re-appear with 
old contents, even
if it's edited trough the NMC.

Edit /etc/krb5/krb5.conf, add a sections under [realms] for your IPA domain. 
I've specified
admin_server, kdc, and kpasswd_server for all my IPA servers.
Add "allow_weak_crypto = true" under libdefaults to widen the support for Linux 
Set "default_realm = IPA-REALM-CAPITAL-LETTERS"
Add a section for the IPA domain under [domain_realm]:

Edit /etc/defaultdomain, create the file if it does not exist already, and add 
the IPA domain.

Edit /etc/resolv.conf:
search addomain.com ipadomain.com
domain addomain.com
nameserver <ipa-dns-ip>
nameserver <ad-dns-ip>

I have also configured my IPA DNS server to forward any requests for my AD 
domain directly to the
AD dns servers. This should not be required if your domains is delegated 
properly, but it speeds
AD requests up a bit. :)

The addomain must be the first domain listed to make the nss_ad module work.

Switch back to the NMC, and edit the nfs defaults file:
NMC: $ setup network service nfs-server edit-settings

Uncomment and modify:

Restart the NFS service.
NMC $ setup network service nfs-server restart

That's it. Your NexentaStor server will now look up LDAP/IPA users and groups 
first, and then
generate UID/GID's for any other users/groups only found in AD.


Freeipa-users mailing list

Reply via email to