Hi, I’ve had this working successfully although not with domain joined Windows machines (I simply haven’t tried). ZFS on Linux has a slightly different syntax than Solaris for sharenfs. What’s the syntax you’re using? The following worked for me in the past:
zfs set sharenfs=sec=krb5:krb5i:krb5p,rw=@10.1.42.0/24,root_squash,no_subtree_check Data/Shared You can verify how it’s exported with `exportfs -v`. Beyond setting up the exports, ZFS doesn’t really get in the way. Remember, btw, that for apache to be able to read anything over a Kerberized setup it _has_ to have a kerberos credential, simply setting permissions is not enough. The Kerberos ticket also expires periodically and will need to be renewed. Ilya Kogan > On Jul 24, 2017, at 15:35, Tyrell Jentink, KD7KUJ via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Is anyone playing with NFS with ZFS on FreeIPA networks? I am virtualizing my > home network infrastructure; To wit: > -CentOS 7 with ZFS and KVM hypervisor as the host, one Windows 2012 R2 guest > running ActiveDirectory, the rest of the guests are mostly Fedora 25; > -FreeIPA -> AD trust is working, and I can sign into a AD Domain user on all > clients; > -I have all my files (Media, HTML files, etc) on the host in a ZFS partition, > I tried using the ZFS-native NFS sharing options, but ended up with question > mark permissions... So I have exported the root file system with Kerberos > authentication and Secure NFS, with crossmnt set in the options, and now my > client can mount and view the contents of the ZFS shares... > -But I have lingering permission issues... Apache can't read anything (Even > with 777 permissions set and SELinux set to Permissive), regular users can > read, can write, but can't create directories or change permissions (Even on > files they own). > > I'm not sure if I should attack the problem from the angle of SELinux being > the culprit, or ZFS being the culprit, or some ID mapping issue... But I'm > certain that the combination of ZFS, NFS, and FreeIPA is poorly documented... > So any experience from the community would be greatly appreciated :p > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org