On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote: > Hello, > > I'm a bit at loss with my freeipa kerberized nfs4 shares. > > the nfs4 shares mount fine and users can read and write their files. > However pulse audio does not work properly, and some programs fail to start. > When logging in with a local account using a local homedrive > pulseaudio works, and the programs also work. > Also oddjob is not capable of creating a home dir for a new user. > > root is not allowed to write in the home mount on the client (mkdir > test and touch test get a Permission denied) > > I don't think its selinux, because setenforce 0 on the nfs-server and > setenforce 0 on the nfs client did not help.
Indeed it is not selinux nor anything client related, when you use kerberized NFSv4 *all* accesses including root must be authenticated. When your "local" root user tries to access the mount point, either it cannot authenticate or it uses the system keytab to authenticate, in both cases, w/o further configuration on the server these accesses are mapped to the nobody user or refused outright. If you really want to trust *every* client to have full *root* access on your server then you need to make sure the client is using the host keytab when acting as root (default unless you pass -n to rpc.gssd) then you need to map explicitly the client's hosts keys to the root account on the server. add: host/client.host.name@YOUR.REALM = root in the [static] section of idmapd.conf See idmapd.conf(5) for details. > freeipa policies seem to be working fine, sudo rules are applied the > way I expect them. > Logging in on all the machines works, automounting works like a charm, > except for the situations described above. > > server details are below > > Anybody who can tell me what I've missed ? What you've missed is simply that clients are not allowed to act as root on NFS mounts by default, it's a security issue, because a compromised client can then do what it want's with all NFS shared data regardless of user permissions. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project