>You raise a good point regarding kinit - do I have to be kinit'ed in as anybody
>before trying to mount the share?  I thought as the host and service principals
>are in the /etc/krb5.keytab I didn't need to specifically authenticate against
> the IPA server? - I might be showing a fundamental lack of knowledge on how
> this all works, so would be good if someone could confirm or clarify this.

The big feature of NFSv4 w/krb security is per-user 
authentication/authorization. NFSv4 with sec=sys (and all NFS <4) use 
host-based authorization. I'm pretty sure you should be able to mount the NFS 
export without 'kinit'ing, but I'm also pretty sure it should look empty (or 
even give you "permission denied" until you kinit to someone authorized to 
access it.

I see you "kinit"ed to "admin@EXAMPLE.LOCAL". If I'm not mistaken, this means 
that when you create files, NFS communicates the owner as 
"admin@example.local". Your idmappers are probably trying to translate this to 
a local account called "admin" whenever evaluating permissions. If nfs-client 
and nfs-server can both "getent passwd admin" successfully, then you're 
probably OK. Otherwise, sssd may need some work...

But that shouldn't interfere with just mounting the share. (I just checked on 
my little test setup.) My little test setup doesn't involve IPA, it's just a 
couple of fedora20 VMs with mit krb5 and an nfs server. I did google this: 

Note the part about the campus windows AD admins setting the 
NO_AUTH_DATA_REQUIRED flag for the machine accounts in AD. Is preauth turned 
off for your nfs/nfs-client.... and nfs/nfs-server... principals? I fear I'm 
ignorant of how this is done in IPA.


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Freeipa-users mailing list

Reply via email to