Thanks so I will remove the sec=sys bit and re-test..and then I assume it will 
be kerberos only.....

However in effect what we are saying is we cant protect an IPA user's files if 
we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind 
of makes sense.....

Also then the 6.3admin beta manual is wrong then IMHO, all that work to do 
kerberos and adding sec=sys negates it all, so its pointless...dont think that 
should be there myself in that case.

The next phase is for me to connect to a BLUEARC NAS, in which case its 
suggesting I cant secure NFS ie users data at all....


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Nalin Dahyabhai [na...@redhat.com]
Sent: Thursday, 10 May 2012 9:43 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] insecure IPA'd NFS

On Wed, May 09, 2012 at 09:16:45PM +0000, Steven Jones wrote:
> I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6
> workstation clients doing NFS via automount as per section 10.3 admin
> guide 6.3beta....all good until I use a Ubuntu client to 'attack it"
> I find the non-IPA's ubuntu client can delete, alter and edit
> files......kind of Oops....I think there is a stage missing in the doc
> or a bug.......can someone have a look at that doc and tell me if a
> step is missing please?

What was the exact command used to mount the filesystem at the client,
and what are the contents of the mountpoint's entry in /proc/mounts on
the client after it's been mounted?

The guide lists "sys" as one of the security flavors when it shows an
example entry in /etc/exports (I guess, because it's demonstrating
adding Kerberos settings to a previously-configured export), which I
suspect is at least part of it.



Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to