Thanks for your answer-you sound very sceptic so I would be very happy if you can deepen your meaning; Is my goal possible to achieve, is this the right strategy?? - to integrate Linux into AD with SSSD , NFS mounted homedir with Kerberos security, cross realm authentication, with Posix attributes for user/group objects in AD . I have to mention that my boss supports me, and my MS-admin colleagues have a positive attitude for the project.
Best, Longina Mange hilsner Longina > -----Original Message----- > From: [email protected] [mailto:sssd-users- > [email protected]] On Behalf Of Jakub Hrozek > Sent: 19. januar 2015 21:51 > To: [email protected] > Subject: Re: [SSSD-users] idmaping, nfs4krb, AD multi domain forest > > On Fri, Jan 16, 2015 at 02:34:19PM +0000, Longina Przybyszewska wrote: > > > > Hi, > > We have problems with authorization to the nfs mounted share with > sec=krb5 in multi domain AD forest environment. > > > > When server, client and user are from the same native domain, user’s > login,nfs+krb mount and access to nfs mounted share works fine. > > [email protected] > > [email protected] > > [email protected] > > > > When user is from another domain, login(via ssh, GUI) and nfs+krb > > mount works; User gets ‘Permission denied ‘ to the nfsshare for rw > > [email protected] [email protected] > > [email protected] > > > > AD user test accounts (user-n, user-a) have Posix attributes ; AD > > groups for Posix enabled users have Posix gids; > > > > Test users are members of universal group [email protected]; > > > > SSSD is configured identically on client and server: > > > > > > [sssd] > > domains = nat.c.example.com > > config_file_version = 2 > > services = nss, pam > > > > [pam] > > pam_verbosity = 3 > > debug_level = 9 > > > > [domain/nat.c.example.com] > > > > debug_level = 9 > > ad_domain = nat.c.example.com > > ad_hostname = host.nat.c.example.com > > krb5_realm = NAT.C.EXAMPLE.COM > > #cache_credentials = True > > id_provider = ad > > access_provider = ad > > chpass_provider = ad > > auth_provider = ad > > # > > krb5_store_password_if_offline = True > > default_shell = /bin/bash > > ldap_id_mapping = False > > use_fully_qualified_names = False > > #use_fully_qualified_names = True > > fallback_homedir = /home-local/%d/%u > > ldap_user_principal = userPrincipalName > > > > ------ > > On client machine , in the “Permission denied” session, all AD groups, > > ids are shown correctly using id, getent ; > > > > Obviousely configuring nfs idmaping requires special attention in multi > domain trust ( doesn’t seem trivial using UMICH method!). > > May be some other AD specifics should be considered as well . > > I don't know enough about NFSv4 + Kerberos to assess whether there is > some gotcha in that part of configuration, but I'll try to answer the rest.. > > > > > In the SSSD documentation is mentioned PAC service. > > Here come my questions: > > > > Do we need PAC service enabled to get properly resolved AD groups in > Kerberos context between domains? > > No. Also above you said that all groups are resolved correctly. Isn't that the > case? > > > > > IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to > > integrate > SSSD plugin nfsidmap_sss.so introduced first in 1.12.1? > > If you compile the plugin yourself, then yes. I'm not sure if it wold help > you, > though. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
