We’re in the process of setting up Windows machines to authenticate against IPA and use home directories from our NFS servers with Kerberized NFS.
The process is not easy, but possible. One thing I’ve found frustrating is that documentation on Windows NFS is terrible. In particular, when you do a mount, it’s critical to get it mounted with the right UID and GID. The procedure most people are using is to set the UID and GID in the registry. That’s fine if the same person always uses the system, but it won’t work for us.
In older versions of windows, you could set up /windows/system32/drivers/etc/passwd. But in Windows 10 they no longer seem to pay attention. The only real way to do it is with active directory lookup. Fortunately, IPA can handle that. The query is
GSSAPI authenticate as machine$ ldapsearch -Y GSSAPI -b dc=cs,dc=rutgers,dc=edu '(sAMAccountName=clh)’ uidnumber gidnumber
To get the GSSAPI authentication to work, you need MACHINE$ set as an alias for the host. And you need to configure Windows to use principal canonicalization. Otherwise Kerberos ignores the alias. That means doing "ksetup /setrealmflags DOMAIN ncsupported” on Windows.
You also need to add samaccountname as an attribute for users, populate it, and make it readable and searchable.
With this, mapping works.
Off course this assumes that Windows Kerberos is set up pointing to IPA as the KDC, but there are plenty of other instructions on how to do that.
I forgot to note that you use “nfsadmin” to enable to mapping.
nfsadmin mapping config addomain=krb1.cs.rutgers.edu nfsadmin mapping config adlookup=yes
In this case I’m pointing to your KDC. I believe it will work if you use your domain name, as long as you have the appropriate DNS entries. I’m hardcoding the server because it makes debugging easier.
On Jan 9, 2019, at 12:24 PM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
We’re in the process of setting up Windows machines to authenticate against IPA and use home directories from our NFS servers with Kerberized NFS.
The process is not easy, but possible. One thing I’ve found frustrating is that documentation on Windows NFS is terrible. In particular, when you do a mount, it’s critical to get it mounted with the right UID and GID. The procedure most people are using is to set the UID and GID in the registry. That’s fine if the same person always uses the system, but it won’t work for us.
In older versions of windows, you could set up /windows/system32/drivers/etc/passwd. But in Windows 10 they no longer seem to pay attention. The only real way to do it is with active directory lookup. Fortunately, IPA can handle that. The query is
GSSAPI authenticate as machine$ ldapsearch -Y GSSAPI -b dc=cs,dc=rutgers,dc=edu '(sAMAccountName=clh)’ uidnumber gidnumber
To get the GSSAPI authentication to work, you need MACHINE$ set as an alias for the host. And you need to configure Windows to use principal canonicalization. Otherwise Kerberos ignores the alias. That means doing "ksetup /setrealmflags DOMAIN ncsupported” on Windows.
You also need to add samaccountname as an attribute for users, populate it, and make it readable and searchable.
With this, mapping works.
Off course this assumes that Windows Kerberos is set up pointing to IPA as the KDC, but there are plenty of other instructions on how to do that.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org