Hi everyone,
I'm currently setting up a FreeIPA based central repository for our small business (few users, but a number of VMs and attached services) with 3 IPA servers. As we are a Linux-centric company, FreeIPA seems to be a good fit for our use.
Everything seems to work expected, except regarding our Synology NAS and its NFSv4 shares. If I don’t set the automount to use Kerberos (no ‘-sec=krb5’ parameter), the NFS share works without a itch. But if I do, it seems that said NAS doesn’t to manage Kerberos well. Every time I try to connect a client to a NFS share, DSM more or less hang-up with a svcgssd process pegging up at 100% CPU. The webui lock-up, most of the command-line stop working properly, etc.
This appears to be a relatively well-known issue with svcgssd as noted here for example:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654 https://linux-nfs.vger.kernel.narkive.com/rpgli1dr/question-re-no-auth-data-...
The fix seems relatively simple, as I just need to set the "no_auth_data_required" setting on the affected Kerberos principal on the FreeIPA side. The problem is, how do I do this?
For a standalone KDC server, it looks like this command should do the trick:
→ kadmin -p "admin@INTERNAL.DOMAIN.ORG" modify_principal +no_auth_data_required "nfs/nas.domain.tld@INTERNAL.DOMAIN.ORG"
But from what I understand, using kadmin directly with FreeIPA is not an option. But how to set "no_auth_data_required" option with FreeIPA is not clear to me. Can anyone direct me to a solution?
For reference:
→ The NAS is a Synology RS2421RP+ running DSM 7.2-64570 Update 3 (the latest). Its kernel is 4.4.302+ → We are running FreeIPA 4.10.1 → The 3 FreeIPA server run on Rocky Linux 9.2 → The current test client is a Rocky Linux 8.7 VM, but we have a variety of Linux flavor in our environment. → We do not have an Active Directory server and do not plan to add one. → This FreeIPA deployment is still at an early stage of deployment. → I have no previous experience with FreeIPA, LDAP or Kerberos, nor with AD.
Regards, Julien Fremont
On Аўт, 26 вер 2023, Julien Fremont via FreeIPA-users wrote:
Hi everyone,
I'm currently setting up a FreeIPA based central repository for our small business (few users, but a number of VMs and attached services) with 3 IPA servers. As we are a Linux-centric company, FreeIPA seems to be a good fit for our use.
Everything seems to work expected, except regarding our Synology NAS and its NFSv4 shares. If I don’t set the automount to use Kerberos (no ‘-sec=krb5’ parameter), the NFS share works without a itch. But if I do, it seems that said NAS doesn’t to manage Kerberos well. Every time I try to connect a client to a NFS share, DSM more or less hang-up with a svcgssd process pegging up at 100% CPU. The webui lock-up, most of the command-line stop working properly, etc.
This appears to be a relatively well-known issue with svcgssd as noted here for example:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654 https://linux-nfs.vger.kernel.narkive.com/rpgli1dr/question-re-no-auth-data-...
The fix seems relatively simple, as I just need to set the "no_auth_data_required" setting on the affected Kerberos principal on the FreeIPA side. The problem is, how do I do this?
For a standalone KDC server, it looks like this command should do the trick:
→ kadmin -p "admin@INTERNAL.DOMAIN.ORG" modify_principal +no_auth_data_required "nfs/nas.domain.tld@INTERNAL.DOMAIN.ORG"
But from what I understand, using kadmin directly with FreeIPA is not an option. But how to set "no_auth_data_required" option with FreeIPA is not clear to me. Can anyone direct me to a solution?
You should not be using anything like that with FreeIPA. The default is already set for NFS services to not issue PAC.
$ ipa help config-mod |grep -A1 pac-type --pac-type=['MS-PAC', 'PAD', 'nfs:NONE'] Default types of PAC supported for services
By default we already have it set to NONE:
$ ipa config-show |grep 'PAC type' Default PAC types: MS-PAC, nfs:NONE
For individual service you can do it explicitly:
$ ipa help service-mod |grep -A3 pac-type --pac-type=['MS-PAC', 'PAD', 'NONE'] Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services.
$ ipa service-mod nfs/nas.domain.tld --pac-type=NONE
But as I said, the default one should just work.
Can you please show your NFS service principal entry output?
ipa service-show nfs/nas.domain.tld
For reference:
→ The NAS is a Synology RS2421RP+ running DSM 7.2-64570 Update 3 (the latest). Its kernel is 4.4.302+ → We are running FreeIPA 4.10.1 → The 3 FreeIPA server run on Rocky Linux 9.2 → The current test client is a Rocky Linux 8.7 VM, but we have a variety of Linux flavor in our environment. → We do not have an Active Directory server and do not plan to add one. → This FreeIPA deployment is still at an early stage of deployment. → I have no previous experience with FreeIPA, LDAP or Kerberos, nor with AD.
Regards, Julien Fremont _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
If it's already supposed to be done, that explains why I couldn't find any instructions for doing it. Thank you for this detail.
Regarding the principal : -------------------------------------- [abx-master@ipa-01.internal.domain.org ~]$ kinit admin Password for admin@INTERNAL.DOMAIN.ORG: [abx-master@ipa-01.internal.domain.org ~]$ ipa service-show nfs/nas.domain.tld Principal name: nfs/nas.domain.tld@INTERNAL.DOMAIN.ORG Principal alias: nfs/nas.domain.tld@INTERNAL.DOMAIN.ORG Keytab: True Managed by: nas.domain.tld [abx-master@ipa-01.internal.domain.org ~]$ --------------------------------------
I haven't tried setting the PAC type manually yet, as if that should already be done, I guess I forgot something.
Regards, Julien Fremont
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Julien Fremont