I forgot to note that you use “nfsadmin” to enable to mapping. nfsadmin mapping config addomain=krb1.cs.rutgers.edu nfsadmin mapping config adlookup=yes
In this case I’m pointing to your KDC. I believe it will work if you use your domain name, as long as you have the appropriate DNS entries. I’m hardcoding the server because it makes debugging easier. > On Jan 9, 2019, at 12:24 PM, Charles Hedrick via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > We’re in the process of setting up Windows machines to authenticate against > IPA and use home directories from our NFS servers with Kerberized NFS. > > The process is not easy, but possible. One thing I’ve found frustrating is > that documentation on Windows NFS is terrible. In particular, when you do a > mount, it’s critical to get it mounted with the right UID and GID. The > procedure most people are using is to set the UID and GID in the registry. > That’s fine if the same person always uses the system, but it won’t work for > us. > > In older versions of windows, you could set up > /windows/system32/drivers/etc/passwd. But in Windows 10 they no longer seem > to pay attention. The only real way to do it is with active directory lookup. > Fortunately, IPA can handle that. The query is > > GSSAPI authenticate as machine$ > ldapsearch -Y GSSAPI -b dc=cs,dc=rutgers,dc=edu '(sAMAccountName=clh)’ > uidnumber gidnumber > > To get the GSSAPI authentication to work, you need MACHINE$ set as an alias > for the host. And you need to configure Windows to use principal > canonicalization. Otherwise Kerberos ignores the alias. That means doing > "ksetup /setrealmflags DOMAIN ncsupported” on Windows. > > You also need to add samaccountname as an attribute for users, populate it, > and make it readable and searchable. > > With this, mapping works. > > Off course this assumes that Windows Kerberos is set up pointing to IPA as > the KDC, but there are plenty of other instructions on how to do that. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org