Hi Kevin,
Thanks for sharing this.
My configuration is virtually identical.
The differences:
- I set LDAP encryption to «on»
- I don’t validate certificates here. I do use one on the idmap configuration
- I also add `map passwd loginShell loginShell` to the Auxiliary Parameters of the LDAP
configuration
- I have also «forwardable = yes» on my Kerberos configuration, in addition to what you
have
I have also host/ and an nfs/ keytab. On my configuration, it was a host/ that was used,
but I chose the nfs now, but it’s really not different.
I mount the directory, get the right permissions (sometimes), but when I access the
folder, it fails:
`drwx------. 5 francis francis 14 Oct 1 20:03 test
`
I changed back to LDAP for idmap, though I think Alexander Bokovoy is right, this could be
NSS as well. But I don’t think I am having mapping errors here.
I wonder what could be wrong.
Best,
Francis
On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
I actually did this recently.
Full working settings configuration in TrueNAS Scale. You will need to create a BIND
account which I used "svcbind". The Aux Parameters are extremely important
otherwise your groups won't work correctly.
Directory Services
1. Hostname:
ipa.site.example.com <
http://ipa.site.example.com/>
2. Base DN: dc=site,dc=example,dc=com
3. Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
4. Bind Password: <XXXXX>
5. Kerberos Realm:
SITE.EXAMPLE.COM <
http://site.example.com/>
6. Kerberos Principal: nfs/xxxx.site.example.com(a)SITE.EXAMPLE.COM
<mailto:xxxx.site.example.com@SITE.EXAMPLE.COM>
7. LDAP Timeout: 10
8. DNS Timeout: 10
9. Enable: [ x ]
10. Auxiliary Parameters
```
base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com
base group cn=groups,cn=accounts,dc=site,dc=example,dc=com
```
11. encryption Mode: off
12. Schema: RFC2307BIS
13. Validate Certificates: [x]
1. Advanced Settings
1. Idmap
1. Idmap Backend: LDAP
2. DNS Domain Name:
site.example.com <
http://site.example.com/>
3. Range Low: 100000001
4. Range High: 2000000000
5. Base DN: dc=site,dc=example,dc=com
6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com
7. LDAP User DN Password: <XXXXX>
8. URL:
ipa.site.example.com <
http://ipa.site.example.com/>
2. Kerberos Realms
1. Realm:
SITE.EXAMPLE.COM <
http://site.example.com/>
2. KDC:
ipa.site.example.com <
http://ipa.site.example.com/>
3. Admin Servers:
ipa.site.example.com <
http://ipa.site.example.com/>
3. Kerberos Settings:
1. Libdefaults Auxiliary Parameters
```
default_realm =
SITE.EXAMPLE.COM <
http://site.example.com/>
dns_lookup_kdc = true
allow_weak_crypto = true
4. Kerberos KeyTab
1. Name: xxxx.site.example.com.keytab
2. Add IPA Host
1. `ipa host-add
nas-server.site.example.com <
http://nas-server.site.example.com/>
--ip-address 10.75.37.2`
3. Add service
1. `ipa service-add NFS/emc-nas-server.site.example.com(a)SITE.EXAMPLE.COM
<mailto:emc-nas-server.site.example.com@SITE.EXAMPLE.COM>
4. Generate Keytab
1. `ipa-getkeytab -s
ipaserver.example.com <
http://ipaserver.example.com/> -p
nfs/emc-nas-server.site.example.com <
http://emc-nas-server.site.example.com/> -k
/tmp/emc-nas-server.keytab`
5. Upload to TrueNAS
I'm not sure of the idmap settings if they are actually useful but everything worked
even though we have overlapping IDs (which TrueNas Scale complains about).
Helpful Link:
https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity
On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
>
>> On 3 Oct 2023, at 11:50, Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>> wrote:
>>
>> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
>>>
>>>
>>>> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>>
>>>> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users
wrote:
>>>>> Hi,
>>>>>
>>>>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4
shares with kerberos?
>>>>>
>>>>> I manage to mount the shares, the folder seems to have the right
permissions, but I get permission denied when trying to access the folder.
>>>>>
>>>>> I am trying from a Fedora 37 client.
>>>>>
>>>>> As this is potentially off-topic, I’d be glad to take the discussion
off-list.
>>>>>
>>>>
>>>> That's a very interesting subject. Just today we started looking at
the same thing.
>>>> I have no idea yet how to do this, so I too would like to know if
somebody has succeeded to set this up.
>>>> --
>>>> Kees
>>>
>>> Great! If it is ok with you, please keep in touch to share how/what you
>>> accomplish.
>>>
>>> Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem
>>> a few versions ago where the tickets wouldn’t be renewed. It is fixed
>>> now. So users and groups work.
>>>
>>> The issue with TrueNAS, as I see it, is the idmapd configuration.
>>>
>>> But I think we start to be very off topic, so don’t hesitate to mail me
>>> directly if you want to discuss this.
>>
>> I think it can be discussed here, no problem.
>
> Thank you, I really appreciate this, since this is a thing I’ve been working on for
quite sometime, so it is really nice to have other eyes on it.
>
>> My understanding is that TrueNAS Scale uses Debian as its base. It also
>> uses Samba components for both client (users/groups identities)
>> integration and server (SMB shares) integration. For SMB-related
>> configuration one can have a pretty decent setup with Samba-driven
>> identity management, so you can define idmap ranges, plugins, etc.
>>
>> For NFS case, I don't see them defining any idmapd config. If winbindd
>> is in use already and those users/groups are provided through nsswitch,
>> then default idmapd.conf configuration should work just fine because
>> it'll do UID <-> kerberos principal name translation using nsswitch.
>
> One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are
machine.local. I believe that in such situations I need to define the Local-Realms
attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that
when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine,
but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS
gets overwritten and my permissions get messes up again, and then the folders are owned by
nobody:nobody.
>
> But even when the permissions are right, I still can’t access the folder. I think it
might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail.
>
> Best,
>
> Francis
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue