Hi All,
Kerberised NFS works well with gssproxy for IPA users, but I'm unable to
map root user like I was with rpcsvcgssd. I understand gssproxy does not
use idmapd anymore, and the mapping has to be done in krb5 directly
(/etc/krb5.conf and/or ~/.k5login). It doesn't appear to work - any
pointers would be very welcome.
My env:
$ lsb_release -d
Description: Red Hat Enterprise Linux Server release 7.3 (Maipo)
$ rpm -q ipa-client gssproxy
ipa-client-4.4.0-14.el7_3.4.x86_64
gssproxy-0.4.1-13.el7.x86_64
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
Kerberised NFS works fine for users that exist in IPA, so I won't cover
that part of the config and focus on the root mapping.
On the "nfsserver" machine, /etc/krb5.conf is this:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = DOM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOM.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
kdc = ipaserver.dom.com:88
master_kdc = ipaserver.dom.com:88
admin_server = ipaserver.dom.com:749
default_domain = dom.com
auth_to_local = RULE:[2:$1/$2@$0](nfs/nfsclient.dom....@dom.com
)s/^.*$/root/g
auth_to_local = RULE:[2:$1/$2@$0](host/nfsclient.dom....@dom.com
)s/^.*$/root/g
auto_to_local = DEFAULT
}
[domain_realm]
.dom.com = DOM.COM
dom.com = DOM.COM
And the contents of "/var/lib/sss/pubconf/krb5.include.d/localauth_plugin"
are:
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
I understand that does NOT mean default, rule, auth_to_local and k5login
are disabled for "localauth", they're enabled by default transparently to
my reading of krb5.conf man page (and I also confirmed k5login as working
with SSH).
Contents of /root/.k5login also on "nfsserver" machine:
host/nfsclient.dom....@dom.com
nfs/nfsclient.dom....@dom.com
While in possession of a ticket for either of the 2 principals above, on
"nfsclient" machine as root user, I can SSH password-less (and SSH-keyless
of course) root to root, to "nfsserver". I can no longer SSH if I don't
have either "host/..." or "nfs/..." principal on the "nfsclient". So that
confirms k5login works correctly I suppose.
Also shortly after mounting an NFS share on the "nfsclient" machine, I see
this in NFS ID translations (not sure how to read it exactly):
$ cat /proc/net/rpc/nfs4.idtoname/content
gss/krb5i user 0 host/nfsclient.dom....@dom.com
gss/krb5i group 0 host/nfsclient.dom....@dom.com
And yet the directory that is mounted is seen as "nobody:nobody" by root on
"nfsclient", and I can't seem to be able to convince gssproxy/nfs to map it
to root on the client.
My /etc/exports on "nfsserver":
/exports/backup
10.11.5.0/24(rw,sec=krb5:krb5i:krb5p,no_subtree_check,no_root_squash)
I also keep my "old" /etc/idmapd.conf around on "nfsserver" machine and
keep idmapd running, even though in theory this is no longer used. This is
its contents (and what used to work for me mapping root to root via
rpcsvcgssd):
[General]
Domain = dom.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = static,sss
[Static]
host/nfsclient.dom....@dom.com = root
nfs/nfsclient.dom....@dom.com = root
What have I missed / what else needs to be set up where to allow gssproxy
and kerberised NFS backed by IPA to map root on NFS client?
--
Thanks,
Greg Kubok.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
