Thanks for sharing this.
My configuration is virtually identical.
- I don’t validate certificates here. I do use one on the idmap configuration
- I also add `map passwd loginShell loginShell` to the Auxiliary Parameters of the LDAP configuration
- I have also «forwardable = yes» on my Kerberos configuration, in addition to what you have
I have also host/ and an nfs/ keytab. On my configuration, it was a host/ that was used, but I chose the nfs now, but it’s really not different.
I mount the directory, get the right permissions (sometimes), but when I access the folder, it fails:
`drwx------. 5 francis francis 14 Oct 1 20:03 test
`
I changed back to LDAP for idmap, though I think Alexander Bokovoy is right, this could be NSS as well. But I don’t think I am having mapping errors here.
I wonder what could be wrong.
Best,
Francis
On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
I actually did this recently.
Full working settings configuration in TrueNAS Scale. You will need to create a BIND account which I used "svcbind". The Aux Parameters are extremely important otherwise your groups won't work correctly.
Directory Services
```
base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com
base group cn=groups,cn=accounts,dc=site,dc=example,dc=com
```
11. encryption Mode: off
12. Schema: RFC2307BIS
13. Validate Certificates: [x]
1. Advanced Settings
1. Idmap
1. Idmap Backend: LDAP
2. DNS Domain Name:
site.example.com 3. Range Low: 100000001
4. Range High: 2000000000
5. Base DN: dc=site,dc=example,dc=com
6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
7. LDAP User DN Password: <XXXXX>
8. URL:
ipa.site.example.com 2. Kerberos Realms
3. Kerberos Settings:
1. Libdefaults Auxiliary Parameters
```
default_realm =
SITE.EXAMPLE.COM dns_lookup_kdc = true
allow_weak_crypto = true
4. Kerberos KeyTab
1. Name: xxxx.site.example.com.keytab
2. Add IPA Host
3. Add service
4. Generate Keytab
5. Upload to TrueNAS
I'm not sure of the idmap settings if they are actually useful but everything worked even though we have overlapping IDs (which TrueNas Scale complains about).
Helpful Link:
On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing.
I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up.
--
Kees
Great! If it is ok with you, please keep in touch to share how/what you
accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem
a few versions ago where the tickets wouldn’t be renewed. It is fixed
now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me
directly if you want to discuss this.
I think it can be discussed here, no problem.
Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it.
My understanding is that TrueNAS Scale uses Debian as its base. It also
uses Samba components for both client (users/groups identities)
integration and server (SMB shares) integration. For SMB-related
configuration one can have a pretty decent setup with Samba-driven
identity management, so you can define idmap ranges, plugins, etc.
For NFS case, I don't see them defining any idmapd config. If winbindd
is in use already and those users/groups are provided through nsswitch,
then default idmapd.conf configuration should work just fine because
it'll do UID <-> kerberos principal name translation using nsswitch.
One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody.
But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail.
Best,
Francis
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue