On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?
I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. -- Kees
Great! If it is ok with you, please keep in touch to share how/what you accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem a few versions ago where the tickets wouldn’t be renewed. It is fixed now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me directly if you want to discuss this.
I think it can be discussed here, no problem.
My understanding is that TrueNAS Scale uses Debian as its base. It also uses Samba components for both client (users/groups identities) integration and server (SMB shares) integration. For SMB-related configuration one can have a pretty decent setup with Samba-driven identity management, so you can define idmap ranges, plugins, etc.
For NFS case, I don't see them defining any idmapd config. If winbindd is in use already and those users/groups are provided through nsswitch, then default idmapd.conf configuration should work just fine because it'll do UID <-> kerberos principal name translation using nsswitch.