Hi All, Kerberised NFS works well with gssproxy for IPA users, but I'm unable to map root user like I was with rpcsvcgssd. I understand gssproxy does not use idmapd anymore, and the mapping has to be done in krb5 directly (/etc/krb5.conf and/or ~/.k5login). It doesn't appear to work - any pointers would be very welcome.
My env: $ lsb_release -d Description: Red Hat Enterprise Linux Server release 7.3 (Maipo) $ rpm -q ipa-client gssproxy ipa-client-4.4.0-14.el7_3.4.x86_64 gssproxy-0.4.1-13.el7.x86_64 $ ipa --version VERSION: 4.4.0, API_VERSION: 2.213 Kerberised NFS works fine for users that exist in IPA, so I won't cover that part of the config and focus on the root mapping. On the "nfsserver" machine, /etc/krb5.conf is this: includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = DOM.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes default_ccache_name = KEYRING:persistent:%{uid} [realms] DOM.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt kdc = ipaserver.dom.com:88 master_kdc = ipaserver.dom.com:88 admin_server = ipaserver.dom.com:749 default_domain = dom.com auth_to_local = RULE:[2:$1/$2@$0](nfs/nfsclient.dom....@dom.com )s/^.*$/root/g auth_to_local = RULE:[2:$1/$2@$0](host/nfsclient.dom....@dom.com )s/^.*$/root/g auto_to_local = DEFAULT } [domain_realm] .dom.com = DOM.COM dom.com = DOM.COM And the contents of "/var/lib/sss/pubconf/krb5.include.d/localauth_plugin" are: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so } I understand that does NOT mean default, rule, auth_to_local and k5login are disabled for "localauth", they're enabled by default transparently to my reading of krb5.conf man page (and I also confirmed k5login as working with SSH). Contents of /root/.k5login also on "nfsserver" machine: host/nfsclient.dom....@dom.com nfs/nfsclient.dom....@dom.com While in possession of a ticket for either of the 2 principals above, on "nfsclient" machine as root user, I can SSH password-less (and SSH-keyless of course) root to root, to "nfsserver". I can no longer SSH if I don't have either "host/..." or "nfs/..." principal on the "nfsclient". So that confirms k5login works correctly I suppose. Also shortly after mounting an NFS share on the "nfsclient" machine, I see this in NFS ID translations (not sure how to read it exactly): $ cat /proc/net/rpc/nfs4.idtoname/content gss/krb5i user 0 host/nfsclient.dom....@dom.com gss/krb5i group 0 host/nfsclient.dom....@dom.com And yet the directory that is mounted is seen as "nobody:nobody" by root on "nfsclient", and I can't seem to be able to convince gssproxy/nfs to map it to root on the client. My /etc/exports on "nfsserver": /exports/backup 10.11.5.0/24(rw,sec=krb5:krb5i:krb5p,no_subtree_check,no_root_squash) I also keep my "old" /etc/idmapd.conf around on "nfsserver" machine and keep idmapd running, even though in theory this is no longer used. This is its contents (and what used to work for me mapping root to root via rpcsvcgssd): [General] Domain = dom.com [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = static,sss [Static] host/nfsclient.dom....@dom.com = root nfs/nfsclient.dom....@dom.com = root What have I missed / what else needs to be set up where to allow gssproxy and kerberised NFS backed by IPA to map root on NFS client? -- Thanks, Greg Kubok.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project