I’m trying to integrate the “NAS Server” on our Dell EMC Unity with our FreeIPA
server so we can secure our NFS shares. Our FreeIPA server is run of the mill
setup. We don’t have any special configuration.
The Dell EMC Box NAS configuration settings is asking for the following.
Realm:
KDC Servers:
Port:
Base DN:
Custom Principal:
Custom Principal password:
Keytab
You can get a better visual from these screenshots. https://imgur.com/a/H6pWemL
Info about the environment (I switched example.com from our regular domain but
it’s a direct replacement).
ny.example.com is my main domain/realm (e.g. NY.EXAMPLE.COM). My other domain
is la.example.com. My KDC (IPA servers) are ipa.ny.example.com and
ipa.la.example.com, they are replicas. The Dell EMC Unity NAS server I’m
setting up will be nfssrv.la.example.com.
So this is what I did. In FreeIPA I create a new host manually through the gui.
Principle alias:
nfssrv.la.example....@ny.example.com
I then created a new service with that host through the gui
nfs/nfssrv.la.example....@ny.example.com
I then went into the freeIPA server and generated a keytab
"ipa-getkeytab -s ipa.ny.example.com -p
nfs/nfssrv.la.example....@ny.example.com -k /tmp/nfssrv.keytab -P <entered
passwd>"
The principal in the ipa-getkeytab command and the password I supplied to the
ipa-getkeytab command is what I supplied in the Dell EMC Unity dialogs.
However, when I do all of this, I keep getting errors in the Dell EMC Unity log
stating
“In the NAS server nfssrv.la.example.com, ONE LDAP server for Domain
ny.example.com goes back from failure.”
“LDAP client settings on NAS server nfssrv.la.example.com are not valid within
domain ny.example.com”.
So the questions I have are.
1) Am I generating the keytab appropriately?
2) Am I supplying the correct information to the “Specifiy Custom
principal” “Principal” fields with the principal of the actual server?
3) The last thing I am unsure about is the “Retrieve Current Schema”. This
schema was automatically generated. It states is for the Fedora Directory
Service so I assumed that’s was correct since I’m using CentOS with FreeIPA. I
haven’t changed anything in the scheme (at least that i’m aware of). Any way to
validate this?
If anyone can provide any advice/suggestions I would greatly appreciate it.
The following is the “Current Schema” listed in the LDAP section.
# -----------------------------------------------------------------------------
# This template was automatically generated by the EMC Nas server
# - Adjustments could be required to fit your specific LDAP configuration.
# - The following setup fits the Fedora Directory service schema.
# Containers
nss_base_passwd ou=people,dc=ny,dc=example,dc=com
nss_base_group ou=group,dc=ny,dc=example,dc=com
nss_base_hosts ou=hosts, dc=ny,dc=example,dc=com
nss_base_netgroup ou=netgroup,dc=ny,dc=example,dc=com
# - The parameter fast_search allows fast search encoding to boost performances
with big LDAP repositories.
# The parameter is set to 1 by default on this configuration,# Some issue
could occurs on Microsoft Active Directory server.
# If you encounter some issue on LDAP lookup, set the value of the parameter
to 0
fast_search 1
-Kevin
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
