On 11/30/2017 03:11 PM, Simo Sorce wrote:
The reason why NFS wants to authenticate you, is to know what uig/gid it should assign to your user (on the server) to access files. So creating a user is not necessarily a bad idea...
Naturally. I think I understand the "why" part of krb5 NFS authentication, but I'm trying to figure out how to allow access from system accounts, where creating a new user and changing the UID for an existing process would mean changing permissions on the local filesystems in addition to the NFS filesystems.
However in some NFS servers you may be able to create mappings from principals to local users. In that case you can use a SPN (Service Principal Name) and associated keytab to gain access.
In freeipa only users can have a 1 component principal such as "daemon@ DOMAIN" normally. If you really just want to use a service I would first explore the possibility of mapping "daemon/hosts.f.q.d.n@REALM" to a user on the NFS server and then just create a normal service and get a keytab for in in IPA.
That looks like it's probably what I'm after, though I can't get it to actually work. On the NFS server, I've set '[Translation] Method = nsswitch,static' and set '[Static] daemon/f.q.d.n@REALM = daemon'. With verbosity set to an arbitrary large value, I see what appears to be activity mapping numeric UID and GIDs to names, but never the reverse. There is no logged activity mapping a name to a UID, and the process which has the 'daemon/f.q.d.n@REALM' ticket gets access as the nfsnobody account. (It had no permission of any kind with no ticket.) It may be good enough to provide a ticket and no mapping, since I want it to access globally readable files, and the nfsnobody user can do that, but I would like to understand the mapping feature better than I do. I'm doing something wrong, but I'm not sure what. That seems like a question better suited for another list, though.