Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
Best,
Francis
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up.
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. -- Kees
Great! If it is ok with you, please keep in touch to share how/what you accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem a few versions ago where the tickets wouldn’t be renewed. It is fixed now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me directly if you want to discuss this.
Best,
Francis
On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. -- Kees
Great! If it is ok with you, please keep in touch to share how/what you accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem a few versions ago where the tickets wouldn’t be renewed. It is fixed now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me directly if you want to discuss this.
I think it can be discussed here, no problem.
My understanding is that TrueNAS Scale uses Debian as its base. It also uses Samba components for both client (users/groups identities) integration and server (SMB shares) integration. For SMB-related configuration one can have a pretty decent setup with Samba-driven identity management, so you can define idmap ranges, plugins, etc.
For NFS case, I don't see them defining any idmapd config. If winbindd is in use already and those users/groups are provided through nsswitch, then default idmapd.conf configuration should work just fine because it'll do UID <-> kerberos principal name translation using nsswitch.
On 3 Oct 2023, at 11:50, Alexander Bokovoy abokovoy@redhat.com wrote:
On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. -- Kees
Great! If it is ok with you, please keep in touch to share how/what you accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem a few versions ago where the tickets wouldn’t be renewed. It is fixed now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me directly if you want to discuss this.
I think it can be discussed here, no problem.
Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it.
My understanding is that TrueNAS Scale uses Debian as its base. It also uses Samba components for both client (users/groups identities) integration and server (SMB shares) integration. For SMB-related configuration one can have a pretty decent setup with Samba-driven identity management, so you can define idmap ranges, plugins, etc.
For NFS case, I don't see them defining any idmapd config. If winbindd is in use already and those users/groups are provided through nsswitch, then default idmapd.conf configuration should work just fine because it'll do UID <-> kerberos principal name translation using nsswitch.
One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody.
But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail.
Best,
Francis
I actually did this recently.
Full working settings configuration in TrueNAS Scale. You will need to create a BIND account which I used "svcbind". The Aux Parameters are extremely important otherwise your groups won't work correctly.
Directory Services 1. Hostname: ipa.site.example.com 2. Base DN: dc=site,dc=example,dc=com 3. Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com 4. Bind Password: <XXXXX> 5. Kerberos Realm: SITE.EXAMPLE.COM 6. Kerberos Principal: nfs/xxxx.site.example.com@SITE.EXAMPLE.COM 7. LDAP Timeout: 10 8. DNS Timeout: 10 9. Enable: [ x ] 10. Auxiliary Parameters ``` base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com base group cn=groups,cn=accounts,dc=site,dc=example,dc=com ``` 11. encryption Mode: off 12. Schema: RFC2307BIS 13. Validate Certificates: [x]
1. Advanced Settings 1. Idmap 1. Idmap Backend: LDAP 2. DNS Domain Name: site.example.com 3. Range Low: 100000001 4. Range High: 2000000000 5. Base DN: dc=site,dc=example,dc=com 6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com 7. LDAP User DN Password: <XXXXX> 8. URL: ipa.site.example.com 2. Kerberos Realms 1. Realm: SITE.EXAMPLE.COM 2. KDC: ipa.site.example.com 3. Admin Servers: ipa.site.example.com 3. Kerberos Settings: 1. Libdefaults Auxiliary Parameters ``` default_realm = SITE.EXAMPLE.COM dns_lookup_kdc = true allow_weak_crypto = true 4. Kerberos KeyTab 1. Name: xxxx.site.example.com.keytab 2. Add IPA Host 1. `ipa host-add nas-server.site.example.com --ip-address 10.75.37.2` 3. Add service 1. `ipa service-add NFS/emc-nas-server.site.example.com@SITE.EXAMPLE.COM 4. Generate Keytab 1. `ipa-getkeytab -s ipaserver.example.com -p nfs/ emc-nas-server.site.example.com -k /tmp/emc-nas-server.keytab` 5. Upload to TrueNAS
I'm not sure of the idmap settings if they are actually useful but everything worked even though we have overlapping IDs (which TrueNas Scale complains about).
Helpful Link: https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity
On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 3 Oct 2023, at 11:50, Alexander Bokovoy abokovoy@redhat.com wrote:
On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. -- Kees
Great! If it is ok with you, please keep in touch to share how/what you accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem a few versions ago where the tickets wouldn’t be renewed. It is fixed now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me directly if you want to discuss this.
I think it can be discussed here, no problem.
Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it.
My understanding is that TrueNAS Scale uses Debian as its base. It also uses Samba components for both client (users/groups identities) integration and server (SMB shares) integration. For SMB-related configuration one can have a pretty decent setup with Samba-driven identity management, so you can define idmap ranges, plugins, etc.
For NFS case, I don't see them defining any idmapd config. If winbindd is in use already and those users/groups are provided through nsswitch, then default idmapd.conf configuration should work just fine because it'll do UID <-> kerberos principal name translation using nsswitch.
One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody.
But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail.
Best,
Francis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Kevin,
Thanks for sharing this.
My configuration is virtually identical.
The differences:
- I set LDAP encryption to «on» - I don’t validate certificates here. I do use one on the idmap configuration - I also add `map passwd loginShell loginShell` to the Auxiliary Parameters of the LDAP configuration - I have also «forwardable = yes» on my Kerberos configuration, in addition to what you have
I have also host/ and an nfs/ keytab. On my configuration, it was a host/ that was used, but I chose the nfs now, but it’s really not different.
I mount the directory, get the right permissions (sometimes), but when I access the folder, it fails:
`drwx------. 5 francis francis 14 Oct 1 20:03 test ` I changed back to LDAP for idmap, though I think Alexander Bokovoy is right, this could be NSS as well. But I don’t think I am having mapping errors here.
I wonder what could be wrong.
Best,
Francis
On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I actually did this recently.
Full working settings configuration in TrueNAS Scale. You will need to create a BIND account which I used "svcbind". The Aux Parameters are extremely important otherwise your groups won't work correctly.
Directory Services
- Hostname: ipa.site.example.com http://ipa.site.example.com/
- Base DN: dc=site,dc=example,dc=com
- Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
- Bind Password: <XXXXX>
- Kerberos Realm: SITE.EXAMPLE.COM http://site.example.com/
- Kerberos Principal: nfs/xxxx.site.example.com@SITE.EXAMPLE.COM mailto:xxxx.site.example.com@SITE.EXAMPLE.COM
- LDAP Timeout: 10
- DNS Timeout: 10
- Enable: [ x ]
- Auxiliary Parameters
base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com base group cn=groups,cn=accounts,dc=site,dc=example,dc=com
encryption Mode: off
Schema: RFC2307BIS
Validate Certificates: [x]
Advanced Settings
Idmap
Idmap Backend: LDAP
DNS Domain Name: site.example.com http://site.example.com/
Range Low: 100000001
Range High: 2000000000
Base DN: dc=site,dc=example,dc=com
LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
LDAP User DN Password: <XXXXX>
URL: ipa.site.example.com http://ipa.site.example.com/
Kerberos Realms
Realm: SITE.EXAMPLE.COM http://site.example.com/
KDC: ipa.site.example.com http://ipa.site.example.com/
Admin Servers: ipa.site.example.com http://ipa.site.example.com/
Kerberos Settings:
Libdefaults Auxiliary Parameters
default_realm = SITE.EXAMPLE.COM <http://site.example.com/> dns_lookup_kdc = true allow_weak_crypto = true 4. Kerberos KeyTab 1. Name: xxxx.site.example.com.keytab 2. Add IPA Host 1. `ipa host-add nas-server.site.example.com <http://nas-server.site.example.com/> --ip-address 10.75.37.2` 3. Add service 1. `ipa service-add NFS/emc-nas-server.site.example.com@SITE.EXAMPLE.COM <mailto:emc-nas-server.site.example.com@SITE.EXAMPLE.COM> 4. Generate Keytab 1. `ipa-getkeytab -s ipaserver.example.com <http://ipaserver.example.com/> -p nfs/emc-nas-server.site.example.com <http://emc-nas-server.site.example.com/> -k /tmp/emc-nas-server.keytab` 5. Upload to TrueNAS I'm not sure of the idmap settings if they are actually useful but everything worked even though we have overlapping IDs (which TrueNas Scale complains about). Helpful Link: https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > >> On 3 Oct 2023, at 11:50, Alexander Bokovoy <abokovoy@redhat.com <mailto:abokovoy@redhat.com>> wrote: >> >> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>> >>> >>>> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >>>> >>>> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos? >>>>> >>>>> I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder. >>>>> >>>>> I am trying from a Fedora 37 client. >>>>> >>>>> As this is potentially off-topic, I’d be glad to take the discussion off-list. >>>>> >>>> >>>> That's a very interesting subject. Just today we started looking at the same thing. >>>> I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. >>>> -- >>>> Kees >>> >>> Great! If it is ok with you, please keep in touch to share how/what you >>> accomplish. >>> >>> Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem >>> a few versions ago where the tickets wouldn’t be renewed. It is fixed >>> now. So users and groups work. >>> >>> The issue with TrueNAS, as I see it, is the idmapd configuration. >>> >>> But I think we start to be very off topic, so don’t hesitate to mail me >>> directly if you want to discuss this. >> >> I think it can be discussed here, no problem. > > Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it. > >> My understanding is that TrueNAS Scale uses Debian as its base. It also >> uses Samba components for both client (users/groups identities) >> integration and server (SMB shares) integration. For SMB-related >> configuration one can have a pretty decent setup with Samba-driven >> identity management, so you can define idmap ranges, plugins, etc. >> >> For NFS case, I don't see them defining any idmapd config. If winbindd >> is in use already and those users/groups are provided through nsswitch, >> then default idmapd.conf configuration should work just fine because >> it'll do UID <-> kerberos principal name translation using nsswitch. > > One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody. > > But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail. > > Best, > > Francis > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Kevin:
Could you share the ACL of the dataset you share via nfs4?
Best,
Francis
On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I actually did this recently.
Full working settings configuration in TrueNAS Scale. You will need to create a BIND account which I used "svcbind". The Aux Parameters are extremely important otherwise your groups won't work correctly.
Directory Services
- Hostname: ipa.site.example.com http://ipa.site.example.com/
- Base DN: dc=site,dc=example,dc=com
- Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
- Bind Password: <XXXXX>
- Kerberos Realm: SITE.EXAMPLE.COM http://site.example.com/
- Kerberos Principal: nfs/xxxx.site.example.com@SITE.EXAMPLE.COM mailto:xxxx.site.example.com@SITE.EXAMPLE.COM
- LDAP Timeout: 10
- DNS Timeout: 10
- Enable: [ x ]
- Auxiliary Parameters
base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com base group cn=groups,cn=accounts,dc=site,dc=example,dc=com
encryption Mode: off
Schema: RFC2307BIS
Validate Certificates: [x]
Advanced Settings
Idmap
Idmap Backend: LDAP
DNS Domain Name: site.example.com http://site.example.com/
Range Low: 100000001
Range High: 2000000000
Base DN: dc=site,dc=example,dc=com
LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
LDAP User DN Password: <XXXXX>
URL: ipa.site.example.com http://ipa.site.example.com/
Kerberos Realms
Realm: SITE.EXAMPLE.COM http://site.example.com/
KDC: ipa.site.example.com http://ipa.site.example.com/
Admin Servers: ipa.site.example.com http://ipa.site.example.com/
Kerberos Settings:
Libdefaults Auxiliary Parameters
default_realm = SITE.EXAMPLE.COM <http://site.example.com/> dns_lookup_kdc = true allow_weak_crypto = true 4. Kerberos KeyTab 1. Name: xxxx.site.example.com.keytab 2. Add IPA Host 1. `ipa host-add nas-server.site.example.com <http://nas-server.site.example.com/> --ip-address 10.75.37.2` 3. Add service 1. `ipa service-add NFS/emc-nas-server.site.example.com@SITE.EXAMPLE.COM <mailto:emc-nas-server.site.example.com@SITE.EXAMPLE.COM> 4. Generate Keytab 1. `ipa-getkeytab -s ipaserver.example.com <http://ipaserver.example.com/> -p nfs/emc-nas-server.site.example.com <http://emc-nas-server.site.example.com/> -k /tmp/emc-nas-server.keytab` 5. Upload to TrueNAS I'm not sure of the idmap settings if they are actually useful but everything worked even though we have overlapping IDs (which TrueNas Scale complains about). Helpful Link: https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > >> On 3 Oct 2023, at 11:50, Alexander Bokovoy <abokovoy@redhat.com <mailto:abokovoy@redhat.com>> wrote: >> >> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>> >>> >>>> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >>>> >>>> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos? >>>>> >>>>> I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder. >>>>> >>>>> I am trying from a Fedora 37 client. >>>>> >>>>> As this is potentially off-topic, I’d be glad to take the discussion off-list. >>>>> >>>> >>>> That's a very interesting subject. Just today we started looking at the same thing. >>>> I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. >>>> -- >>>> Kees >>> >>> Great! If it is ok with you, please keep in touch to share how/what you >>> accomplish. >>> >>> Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem >>> a few versions ago where the tickets wouldn’t be renewed. It is fixed >>> now. So users and groups work. >>> >>> The issue with TrueNAS, as I see it, is the idmapd configuration. >>> >>> But I think we start to be very off topic, so don’t hesitate to mail me >>> directly if you want to discuss this. >> >> I think it can be discussed here, no problem. > > Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it. > >> My understanding is that TrueNAS Scale uses Debian as its base. It also >> uses Samba components for both client (users/groups identities) >> integration and server (SMB shares) integration. For SMB-related >> configuration one can have a pretty decent setup with Samba-driven >> identity management, so you can define idmap ranges, plugins, etc. >> >> For NFS case, I don't see them defining any idmapd config. If winbindd >> is in use already and those users/groups are provided through nsswitch, >> then default idmapd.conf configuration should work just fine because >> it'll do UID <-> kerberos principal name translation using nsswitch. > > One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody. > > But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail. > > Best, > > Francis > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org