Hello everyone! I am trying to setup an NFS export with sec=krb5p on one machine and make it accessible to a system user ('git' in this case) on another. I'd like to put GitLab backups on my ZFS array via NFS, to be more specific.
All machines in my little homelab are based on CentOS 7.3.1611 and I use two replicated FreeIPA servers with what I believe to be the latest release available on CentOS: 4.4.0. Both the storage server and the GitLab server are enrolled hosts in my realm. After enrolling both machines with ipa-client-install and installing @File\ and\ Storage\ Server on one and @Network\ File\ System\ Client on the other, I ran ipa-client-automount on both, as I read somewhere that it sets up neccessary configuration files for identity mapping? I also found a thread on this mailinglist, about a usecase of Apache accessing a /var/www directory via kerberized NFS. I believe my usecase is very similar and I feel like I am very close to a solution. But I just don't understand where things go wrong: In this particular case the 'git' user on both machines has different UIDs. It was created during the installation of GitLab on the client but the UID was already occupied by 'softhsm private keys owner' on the server. Thus I created a system user manually, which has a different UID though. For the sake of troubleshooting I also tried all the following steps with the Apache user, which has UID 48 on both machines - the result was the same. As this is not an actual user in my realm, I first created a service principal of the form git/$HOSTNAME@REALM (or apache/... for that matter). I then used ipa-getkeytab to create a keytab in /var/lib/gssproxy/clients/$UID.keytab for gssproxy to find. That worked nicely as in: The user automagically got access to the mounted NFS share while a krb5cc_$UID was created in the directory mentioned above. After switching users with su, I can navigate through the mount - as long as all the folders have 755 permissions. A folder with 700 permissions and owner 'git' is correctly displayed as being owned by 'git' on the client - yet I cannot access it! When I create a file or folder in a folder with public permissions (777), the owner of the newly created file is 'nfsnobody'. I also tried setting up a static mapping in /etc/idmapd.conf on both the server and client: mapping the service principal to user 'git'. The effect was the client displaying the folder being owned by 'nobody' - whoops. Doing all the above steps with an actual user in the realm works fine. Either with the automagic method through gssproxy or by getting a ticket with kinit first: I can access a folder with 700 permissions and files are created with the correct owner, etc. Is there any critical step that I missed? I feel like I am very close .. I'd be thankful for any hints. Cheers, Anton _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org