On 3 Oct 2023, at 11:50, Alexander Bokovoy <abokovoy@redhat.com> wrote:

On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:

On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,

Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos?

I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder.

I am trying from a Fedora 37 client.

As this is potentially off-topic, I’d be glad to take the discussion off-list.

That's a very interesting subject. Just today we started looking at the same thing.
I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up.
--
Kees

Great! If it is ok with you, please keep in touch to share how/what you
accomplish.

Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem
a few versions ago where the tickets wouldn’t be renewed. It is fixed
now. So users and groups work.

The issue with TrueNAS, as I see it, is the idmapd configuration.

But I think we start to be very off topic, so don’t hesitate to mail me
directly if you want to discuss this.

I think it can be discussed here, no problem.

Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it.

My understanding is that TrueNAS Scale uses Debian as its base. It also
uses Samba components for both client (users/groups identities)
integration and server (SMB shares) integration. For SMB-related
configuration one can have a pretty decent setup with Samba-driven
identity management, so you can define idmap ranges, plugins, etc.

For NFS case, I don't see them defining any idmapd config. If winbindd
is in use already and those users/groups are provided through nsswitch,
then default idmapd.conf configuration should work just fine because
it'll do UID <-> kerberos principal name translation using nsswitch.

One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody.