Hi Alexander, Thanks for the link. I read through it again, and I am still stuck on the rpcgss service on the server...I don't know how to properly restart it. The service in the documents is service nfs-secure-server enable (FC16), or rpcsvcgssd.service (RH7), but I cannot enable using those.
I killed rpc.gssd process on the client and restarted manually with rpc.gssd -vvv, which gave me more output. There is a flag set in /etc/sysconfig/nfs which should have already been giving that output, but it never took effect, even though I restarted nfs-server and nfs-secure-server. What is the right way to restart rpcgssd.service and rpcsvcgssd.service? Anyway, after manually killing and executing rpc.gssd, the homedir automounts with krb5p when I ssh to the machine (yay - first time!), but the files are owned by nobody. I cannot access the files as the owner. The UID of the file owner is low (between 500-1000), so I had to change the user's UID just to be able to login (<1000 is blocked by PAM). Maybe the fact that the user with a matching UID doesn't exist is causing a problem in mapping the files' owner to a user? If so, how do I most efficiently map the name of the file owner to the user with a different numerical UID? I had hoped the kerberos auth might handle this for me. The homedir does not mount when I su from root (not particularly a problem, but it was muddling the issue). This clued me in: rpc.gssd[9928]: No key table entry found for root/nfsclient.domain.tld. Thank you! Joanna On Fri, Jul 1, 2016 at 3:59 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 01 Jul 2016, Joanna Delaporte wrote: > >> I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am >> starting to wonder if I don't have HBAC rules set up correctly. I >> installed freeIPA with --no_hbac_allow. >> >> I have an HBAC service defined as an nfs service: >> $ ipa hbacsvc-add --desc="NFS service" nfs >> >> I have an HBAC rule that allows all users to access all services on a >> group >> of hosts. My nfsclient is in that group. >> >> Is that enough to allow users rights to mount nfs shares? Do I need some >> sort of HBAC between the nfsclient and the nfsserver? >> > HBAC is not involved at all for NFS use. Remember, HBAC checks are run > by SSSD when it is called by PAM session setup. There is nothing like > that for NFS mounts. > > Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ? > > > -- > / Alexander Bokovoy > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project