[Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs
I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got users in FreeIPA that match a subset of users in AD. The NFS server is a FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in nsswitch for providing uids. I use setfacl there with just the uid. The FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0 server configured with a trust with an AD domain. My krb5.conf has dns_lookup_kdc = true and auth_to_local = RULE:[1:$1@ $0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the standard subdomains_provider = ipa and services = ..., pac along with a full_name_format = %1$s to strip the realm name off when displaying the username. From what I understand about NFS ACLs, they should respect the uid reported, which matches, and ignore uidnumbers (which don’t match). From the FreeIPA client I can authenticate as an AD user, but I still don’t have access to the NFS directory with ACLs that should allow me to read. When I do an getfacl on the NFS server I get just the uid, but when I do nfs4_getfacl on the FreeIPA/NFS client I get uid@ipa.realm (and no access to the directory). Am I missing something? Best! === Daniel Shown, Linux Systems Administrator Advanced Technology Group Information Technology Services http://www.slu.edu/its at Saint Louis University http://www.slu.edu/. 314-977-2583 === “The aim of education is the knowledge, not of facts, but of values.” — William S. Burroughs “I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions.” — Seymour R. Cray -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs
On Mon, 11 Aug 2014, Daniel Shown wrote: I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got users in FreeIPA that match a subset of users in AD. The NFS server is a FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in nsswitch for providing uids. I use setfacl there with just the uid. The FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0 server configured with a trust with an AD domain. My krb5.conf has dns_lookup_kdc = true and auth_to_local = RULE:[1:$1@ $0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the standard subdomains_provider = ipa and services = ..., pac along with a full_name_format = %1$s to strip the realm name off when displaying the username. From what I understand about NFS ACLs, they should respect the uid reported, which matches, and ignore uidnumbers (which don’t match). From the FreeIPA client I can authenticate as an AD user, but I still don’t have access to the NFS directory with ACLs that should allow me to read. When I do an getfacl on the NFS server I get just the uid, but when I do nfs4_getfacl on the FreeIPA/NFS client I get uid@ipa.realm (and no access to the directory). Am I missing something? There is a bug in NFS ID mapping code that prevents this use case from working. It should be fixed in recent libnsfidmap releases but I'm not sure it is already available in CentOS 6.5. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs
grumble grumble. Do you know a bug ID or something similar i can search on? FWIW, FreeIPA server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a fix easier. :/ d:s === *Daniel Shown,* Linux Systems Administrator Advanced Technology Group Information Technology Services http://www.slu.edu/its at Saint Louis University http://www.slu.edu/. 314-977-2583 === The aim of education is the knowledge, not of facts, but of values. — William S. Burroughs I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions. — Seymour R. Cray On Mon, Aug 11, 2014 at 1:51 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Daniel Shown wrote: I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve got users in FreeIPA that match a subset of users in AD. The NFS server is a FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in nsswitch for providing uids. I use setfacl there with just the uid. The FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 bound to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0 server configured with a trust with an AD domain. My krb5.conf has dns_lookup_kdc = true and auth_to_local = RULE:[1:$1@ $0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the standard subdomains_provider = ipa and services = ..., pac along with a full_name_format = %1$s to strip the realm name off when displaying the username. From what I understand about NFS ACLs, they should respect the uid reported, which matches, and ignore uidnumbers (which don’t match). From the FreeIPA client I can authenticate as an AD user, but I still don’t have access to the NFS directory with ACLs that should allow me to read. When I do an getfacl on the NFS server I get just the uid, but when I do nfs4_getfacl on the FreeIPA/NFS client I get uid@ipa.realm (and no access to the directory). Am I missing something? There is a bug in NFS ID mapping code that prevents this use case from working. It should be fixed in recent libnsfidmap releases but I'm not sure it is already available in CentOS 6.5. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs
On Mon, 11 Aug 2014, Daniel Shown wrote: grumble grumble. Do you know a bug ID or something similar i can search on? FWIW, FreeIPA server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a fix easier. :/ Here is the thread upstream, including the patch: http://thread.gmane.org/gmane.linux.nfs/62014 I cannot find the bug on bugzilla.redhat.com, though, perhaps it is closed already. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs
Hmm... yeah, I've mucked with idmap.conf and still no happiness. d:s === *Daniel Shown,* Linux Systems Administrator Advanced Technology Group Information Technology Services http://www.slu.edu/its at Saint Louis University http://www.slu.edu/. 314-977-2583 === The aim of education is the knowledge, not of facts, but of values. — William S. Burroughs I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions. — Seymour R. Cray On Mon, Aug 11, 2014 at 2:04 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Daniel Shown wrote: grumble grumble. Do you know a bug ID or something similar i can search on? FWIW, FreeIPA server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a fix easier. :/ Here is the thread upstream, including the patch: http://thread.gmane.org/gmane.linux.nfs/62014 I cannot find the bug on bugzilla.redhat.com, though, perhaps it is closed already. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs
On Mon, Aug 11, 2014 at 10:04:37PM +0300, Alexander Bokovoy wrote: On Mon, 11 Aug 2014, Daniel Shown wrote: grumble grumble. Do you know a bug ID or something similar i can search on? FWIW, FreeIPA server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a fix easier. :/ Here is the thread upstream, including the patch: http://thread.gmane.org/gmane.linux.nfs/62014 I cannot find the bug on bugzilla.redhat.com, though, perhaps it is closed already. I think you meant this one: https://bugzilla.redhat.com/show_bug.cgi?id=1066153 However, the bugzilla is marked as private, so it's not accessible outside redhat.com What I think is very safe to say is the fix is planned for 6.6 and appears to be on track. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project