On Fri, Jan 16, 2015 at 02:34:19PM +0000, Longina Przybyszewska wrote: > > Hi, > We have problems with authorization to the nfs mounted share with sec=krb5 in > multi domain AD forest environment. > > When server, client and user are from the same native domain, user’s > login,nfs+krb mount and access to nfs mounted share works fine. > [email protected] > [email protected] > [email protected] > > When user is from another domain, login(via ssh, GUI) and nfs+krb mount > works; User gets ‘Permission denied ‘ to the nfsshare for rw > [email protected] > [email protected] > [email protected] > > AD user test accounts (user-n, user-a) have Posix attributes ; > AD groups for Posix enabled users have Posix gids; > > Test users are members of universal group [email protected]; > > SSSD is configured identically on client and server: > > > [sssd] > domains = nat.c.example.com > config_file_version = 2 > services = nss, pam > > [pam] > pam_verbosity = 3 > debug_level = 9 > > [domain/nat.c.example.com] > > debug_level = 9 > ad_domain = nat.c.example.com > ad_hostname = host.nat.c.example.com > krb5_realm = NAT.C.EXAMPLE.COM > #cache_credentials = True > id_provider = ad > access_provider = ad > chpass_provider = ad > auth_provider = ad > # > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = False > use_fully_qualified_names = False > #use_fully_qualified_names = True > fallback_homedir = /home-local/%d/%u > ldap_user_principal = userPrincipalName > > ------ > On client machine , in the “Permission denied” session, all AD groups, ids > are shown correctly using id, getent ; > > Obviousely configuring nfs idmaping requires special attention in multi > domain trust ( doesn’t seem trivial using UMICH method!). > May be some other AD specifics should be considered as well .
I don't know enough about NFSv4 + Kerberos to assess whether there is some gotcha in that part of configuration, but I'll try to answer the rest.. > > In the SSSD documentation is mentioned PAC service. > Here come my questions: > > Do we need PAC service enabled to get properly resolved AD groups in Kerberos > context between domains? No. Also above you said that all groups are resolved correctly. Isn't that the case? > > IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to > integrate SSSD plugin nfsidmap_sss.so introduced first in 1.12.1? If you compile the plugin yourself, then yes. I'm not sure if it wold help you, though. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
