Hi Simo, Thanx for the quick answer, i will consider the root implications. However, what about pulse audio not working ? The logs complain about that one not beeing able to write in home as well.
Rob 2014-06-20 18:27 GMT+02:00 Simo Sorce <s...@redhat.com>: > On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote: >> Hello, >> >> I'm a bit at loss with my freeipa kerberized nfs4 shares. >> >> the nfs4 shares mount fine and users can read and write their files. >> However pulse audio does not work properly, and some programs fail to start. >> When logging in with a local account using a local homedrive >> pulseaudio works, and the programs also work. >> Also oddjob is not capable of creating a home dir for a new user. >> >> root is not allowed to write in the home mount on the client (mkdir >> test and touch test get a Permission denied) >> >> I don't think its selinux, because setenforce 0 on the nfs-server and >> setenforce 0 on the nfs client did not help. > > Indeed it is not selinux nor anything client related, when you use > kerberized NFSv4 *all* accesses including root must be authenticated. > > When your "local" root user tries to access the mount point, either it > cannot authenticate or it uses the system keytab to authenticate, in > both cases, w/o further configuration on the server these accesses are > mapped to the nobody user or refused outright. > > If you really want to trust *every* client to have full *root* access on > your server then you need to make sure the client is using the host > keytab when acting as root (default unless you pass -n to rpc.gssd) then > you need to map explicitly the client's hosts keys to the root account > on the server. > add: > host/client.host.name@YOUR.REALM = root > in the [static] section of idmapd.conf > > See idmapd.conf(5) for details. > >> freeipa policies seem to be working fine, sudo rules are applied the >> way I expect them. >> Logging in on all the machines works, automounting works like a charm, >> except for the situations described above. >> >> server details are below >> >> Anybody who can tell me what I've missed ? > > What you've missed is simply that clients are not allowed to act as root > on NFS mounts by default, it's a security issue, because a compromised > client can then do what it want's with all NFS shared data regardless of > user permissions. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project