On ke, 29 huhti 2020, White, David via FreeIPA-users wrote:
Is it possible to allow hosts in specific subnets to connect to a
FreeIPA-connected server over NFS anonymously?
e.g. I'm wondering if I could setup a HBAC rule by doing something like the
following:
ipa hbacsvc-add nfs-mount
ipahbacrule-add allow_nfs_mount
Then attach that to the NFS server
And then allow "anyone" to connect over NFS to that server
HBAC rules apply in PAM through use of pam_sss module. NFS servers do
not use PAM authentication, so your chances to apply HBAC rules are not
there.
Bonus points if there's a way to restrict the source NFS
connection by IP address or subnet
You need to look into your firewall setup.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland