On la, 23 marras 2019, Kevin Vasko via FreeIPA-users wrote:
So I feel we have a decent process for users on Linux (Ubuntu/CentOS)
to access NFS shares, however there is rumbling of people wanting to
use their Mac and Windows boxes to access the data shares.
The tricky part of this is we won't be able to enroll the Windows or
Mac systems into FreeIPA.
So is there a "simple" way to allow users on Mac and Windows that
can't be enrolled into the FreeIPA domain to access kerberized NFS
shares? I think this is going to be difficult in general to windows
and might have to swap to SMB?
For example, is there a way to download a SMB+Kerberos clients, grab
the keys from IPA and allow users to manually authenticate with kinit
and be able to access the NFS or a SMB share?
It may be a bit outside your situation but with FreeIPA 4.8 you can
actually set up a Samba file server on IPA client and then have Windows
clients access it over trust to Active Directory. There are few
requirements for this, though:
- IPA masters with trust controller role must run FreeIPA 4.8.1+
- IPA client running Samba file server must run FreeIPA 4.8.1+
- You need to use POSIX ACLs to assign permissions on the IPA client
side, not Windows security tab dialogs
See "Setting up Samba on an IdM domain member"[1] for details. This
would work for Fedora 30 - 31 and RHEL 8.1 (CentOS rebuild of RHEL 8.1
would work too, once released). Ubuntu/Debian versions will most likely
not work because Samba there is built against Heimdal and cannot be
utilized for the purpose of setting up trust controller role in FreeIPA.
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland