On Mon, 11 Aug 2014, Daniel Shown wrote:
I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got
users in FreeIPA that match a subset of users in AD. The NFS server is a
FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in
nsswitch for providing uids. I use setfacl there with just the uid. The
FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound
to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0
server configured with a trust with an AD domain. My krb5.conf has
dns_lookup_kdc
= true and auth_to_local = RULE:[1:$1@
$0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the
standard subdomains_provider = ipa and services = ..., pac along with
a full_name_format
= %1$s to strip the realm name off when displaying the username. From what
I understand about NFS ACLs, they should respect the uid reported, which
matches, and ignore uidnumbers (which don’t match). From the FreeIPA client
I can authenticate as an AD user, but I still don’t have access to the NFS
directory with ACLs that should allow me to read. When I do an getfacl on
the NFS server I get just the uid, but when I do nfs4_getfacl on the
FreeIPA/NFS client I get uid@ipa.realm (and no access to the directory).

Am I missing something?
There is a bug in NFS ID mapping code that prevents this use case from
working. It should be fixed in recent libnsfidmap releases but I'm not
sure it is already available in CentOS 6.5.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to