Removed the sys: and now no IPA'd client can mount.....oh joy....
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of Steven Jones [[email protected]] Sent: Thursday, 10 May 2012 10:18 a.m. Cc: [email protected] Subject: Re: [Freeipa-users] insecure IPA'd NFS Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only..... However in effect what we are saying is we cant protect an IPA user's files if we have to allow a non-IPA user to connect? its ALL kerberos or nothing? kind of makes sense..... Also then the 6.3admin beta manual is wrong then IMHO, all that work to do kerberos and adding sec=sys negates it all, so its pointless...dont think that should be there myself in that case. The next phase is for me to connect to a BLUEARC NAS, in which case its suggesting I cant secure NFS ie users data at all.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of Nalin Dahyabhai [[email protected]] Sent: Thursday, 10 May 2012 9:43 a.m. To: Steven Jones Cc: [email protected] Subject: Re: [Freeipa-users] insecure IPA'd NFS On Wed, May 09, 2012 at 09:16:45PM +0000, Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 > workstation clients doing NFS via automount as per section 10.3 admin > guide 6.3beta....all good until I use a Ubuntu client to 'attack it" > I find the non-IPA's ubuntu client can delete, alter and edit > files......kind of Oops....I think there is a stage missing in the doc > or a bug.......can someone have a look at that doc and tell me if a > step is missing please? What was the exact command used to mount the filesystem at the client, and what are the contents of the mountpoint's entry in /proc/mounts on the client after it's been mounted? The guide lists "sys" as one of the security flavors when it shows an example entry in /etc/exports (I guess, because it's demonstrating adding Kerberos settings to a previously-configured export), which I suspect is at least part of it. HTH, Nalin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
