I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got
users in FreeIPA that match a subset of users in AD. The NFS server is a
FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in
nsswitch for providing uids. I use setfacl there with just the uid. The
FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound
to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0
server configured with a trust with an AD domain. My krb5.conf has
dns_lookup_kdc
= true and auth_to_local = RULE:[1:$1@
$0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the
standard subdomains_provider = ipa and services = ..., pac along with
a full_name_format
= %1$s to strip the realm name off when displaying the username. From what
I understand about NFS ACLs, they should respect the uid reported, which
matches, and ignore uidnumbers (which don’t match). From the FreeIPA client
I can authenticate as an AD user, but I still don’t have access to the NFS
directory with ACLs that should allow me to read. When I do an getfacl on
the NFS server I get just the uid, but when I do nfs4_getfacl on the
FreeIPA/NFS client I get uid@ipa.realm (and no access to the directory).

Am I missing something?

Best!

===================================

Daniel Shown,
Linux Systems Administrator
Advanced Technology Group
Information Technology Services <http://www.slu.edu/its>
at Saint Louis University <http://www.slu.edu/>.

314-977-2583

===================================

“The aim of education
is the knowledge,
not of facts,
but of values.”
— William S. Burroughs

“I’m supposed to be
a scientific person
but I use intuition
more than logic
in making basic
decisions.”
— Seymour R. Cray
​
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to