Hi All,

Kerberised NFS works well with gssproxy for IPA users, but I'm unable to
map root user like I was with rpcsvcgssd. I understand gssproxy does not
use idmapd anymore, and the mapping has to be done in krb5 directly
(/etc/krb5.conf and/or ~/.k5login). It doesn't appear to work - any
pointers would be very welcome.

My env:

$ lsb_release -d
Description: Red Hat Enterprise Linux Server release 7.3 (Maipo)
$ rpm -q ipa-client gssproxy
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

Kerberised NFS works fine for users that exist in IPA, so I won't cover
that part of the config and focus on the root mapping.

On the "nfsserver" machine, /etc/krb5.conf is this:

includedir /var/lib/sss/pubconf/krb5.include.d/
  default_realm = DOM.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  default_ccache_name = KEYRING:persistent:%{uid}
  DOM.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    kdc = ipaserver.dom.com:88
    master_kdc = ipaserver.dom.com:88
    admin_server = ipaserver.dom.com:749
    default_domain = dom.com
    auth_to_local = RULE:[2:$1/$2@$0](nfs/nfsclient.dom....@dom.com
    auth_to_local = RULE:[2:$1/$2@$0](host/nfsclient.dom....@dom.com
    auto_to_local = DEFAULT
  .dom.com = DOM.COM
  dom.com = DOM.COM

And the contents of "/var/lib/sss/pubconf/krb5.include.d/localauth_plugin"

 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

I understand that does NOT mean default, rule, auth_to_local and k5login
are disabled for "localauth", they're enabled by default transparently to
my reading of krb5.conf man page (and I also confirmed k5login as working
with SSH).

Contents of /root/.k5login also on "nfsserver" machine:


While in possession of a ticket for either of the 2 principals above, on
"nfsclient" machine as root user, I can SSH password-less (and SSH-keyless
of course) root to root, to "nfsserver". I can no longer SSH if I don't
have either "host/..." or "nfs/..." principal on the "nfsclient". So that
confirms k5login works correctly I suppose.

Also shortly after mounting an NFS share on the "nfsclient" machine, I see
this in NFS ID translations (not sure how to read it exactly):

$ cat /proc/net/rpc/nfs4.idtoname/content
gss/krb5i user 0 host/nfsclient.dom....@dom.com
gss/krb5i group 0 host/nfsclient.dom....@dom.com

And yet the directory that is mounted is seen as "nobody:nobody" by root on
"nfsclient", and I can't seem to be able to convince gssproxy/nfs to map it
to root on the client.

My /etc/exports on "nfsserver":


I also keep my "old" /etc/idmapd.conf around on "nfsserver" machine and
keep idmapd running, even though in theory this is no longer used. This is
its contents (and what used to work for me mapping root to root via

Domain = dom.com
Nobody-User = nobody
Nobody-Group = nobody
Method = static,sss
host/nfsclient.dom....@dom.com = root
nfs/nfsclient.dom....@dom.com = root

What have I missed / what else needs to be set up where to allow gssproxy
and kerberised NFS backed by IPA to map root on NFS client?


Greg Kubok.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to