On Fri, 2012-12-07 at 13:40 +0100, Ondrej Valousek wrote:
> Three notes:
> 
> 1.
> /export *(rw,sec=krb5,no_subtree_check,no_root_squash)
> is better than
> /export gss/krb5(rw,no_subtree_check,no_root_squash)

It would be even better with root_squash imo :-)
(as a default)

> 2. Kerberos library is still too picky about reverse DNS records -
> i.e. if the reverse DNS does not match the principal name in keytab,
> you are most likely to fail.

Can you open bugs about this.
We do our best to make it work, unfortunately we have encountered time
and again bugs all the way down to glibc (where we still have one to
date :-/ ).

> 3. We should still mention the rpc.idmapd settings I think - people
> are still used to nfsv3 so this might be confusing to them.

Yes, we discovered recently that for some reason rpc.idmapd is hell bent
in looking only at its own config file and requires you set the default
kerberos realm and doesn't ask libkrb5 for the default realm.
So if you do not set it there it fails.
We want to change this in time, but for the time being and on RHEL5/6
and current Fedoras it is what it is.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to