On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; wrote: On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > Hi, > > Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos? > > I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder. > > I am trying from a Fedora 37 client. > > As this is potentially off-topic, I’d be glad to take the discussion off-list. > That's a very interesting subject. Just today we started looking at the same thing. I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. -- Kees

On 3 Oct 2023, at 11:50, Alexander Bokovoy <abokovoy(a)redhat.com&gt; wrote: On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > >> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; wrote: >> >> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>> Hi, >>> >>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos? >>> >>> I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder. >>> >>> I am trying from a Fedora 37 client. >>> >>> As this is potentially off-topic, I’d be glad to take the discussion off-list. >>> >> >> That's a very interesting subject. Just today we started looking at the same thing. >> I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. >> -- >> Kees > > Great! If it is ok with you, please keep in touch to share how/what you > accomplish. > > Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem > a few versions ago where the tickets wouldn’t be renewed. It is fixed > now. So users and groups work. > > The issue with TrueNAS, as I see it, is the idmapd configuration. > > But I think we start to be very off topic, so don’t hesitate to mail me > directly if you want to discuss this. I think it can be discussed here, no problem.

My understanding is that TrueNAS Scale uses Debian as its base. It also uses Samba components for both client (users/groups identities) integration and server (SMB shares) integration. For SMB-related configuration one can have a pretty decent setup with Samba-driven identity management, so you can define idmap ranges, plugins, etc. For NFS case, I don't see them defining any idmapd config. If winbindd is in use already and those users/groups are provided through nsswitch, then default idmapd.conf configuration should work just fine because it'll do UID <-> kerberos principal name translation using nsswitch.

On Oct 3, 2023, at 16:10, Kevin Vasko via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; wrote: I actually did this recently. Full working settings configuration in TrueNAS Scale. You will need to create a BIND account which I used "svcbind". The Aux Parameters are extremely important otherwise your groups won't work correctly. Directory Services 1. Hostname: ipa.site.example.com <http://ipa.site.example.com/> 2. Base DN: dc=site,dc=example,dc=com 3. Bind DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com 4. Bind Password: <XXXXX> 5. Kerberos Realm: SITE.EXAMPLE.COM <http://site.example.com/> 6. Kerberos Principal: nfs/xxxx.site.example.com(a)SITE.EXAMPLE.COM <mailto:xxxx.site.example.com@SITE.EXAMPLE.COM> 7. LDAP Timeout: 10 8. DNS Timeout: 10 9. Enable: [ x ] 10. Auxiliary Parameters ``` base passwd cn=users,cn=accounts,dc=site,dc=example,dc=com base group cn=groups,cn=accounts,dc=site,dc=example,dc=com ``` 11. encryption Mode: off 12. Schema: RFC2307BIS 13. Validate Certificates: [x] 1. Advanced Settings 1. Idmap 1. Idmap Backend: LDAP 2. DNS Domain Name: site.example.com <http://site.example.com/> 3. Range Low: 100000001 4. Range High: 2000000000 5. Base DN: dc=site,dc=example,dc=com 6. LDAP User DN: uid=svcbind,cn=users,cn=accounts,dc=site,dc=example,dc=com 7. LDAP User DN Password: <XXXXX> 8. URL: ipa.site.example.com <http://ipa.site.example.com/> 2. Kerberos Realms 1. Realm: SITE.EXAMPLE.COM <http://site.example.com/> 2. KDC: ipa.site.example.com <http://ipa.site.example.com/> 3. Admin Servers: ipa.site.example.com <http://ipa.site.example.com/> 3. Kerberos Settings: 1. Libdefaults Auxiliary Parameters ``` default_realm = SITE.EXAMPLE.COM <http://site.example.com/> dns_lookup_kdc = true allow_weak_crypto = true 4. Kerberos KeyTab 1. Name: xxxx.site.example.com.keytab 2. Add IPA Host 1. `ipa host-add nas-server.site.example.com <http://nas-server.site.example.com/> --ip-address 10.75.37.2` 3. Add service 1. `ipa service-add NFS/emc-nas-server.site.example.com(a)SITE.EXAMPLE.COM <mailto:emc-nas-server.site.example.com@SITE.EXAMPLE.COM> 4. Generate Keytab 1. `ipa-getkeytab -s ipaserver.example.com <http://ipaserver.example.com/> -p nfs/emc-nas-server.site.example.com <http://emc-nas-server.site.example.com/> -k /tmp/emc-nas-server.keytab` 5. Upload to TrueNAS I'm not sure of the idmap settings if they are actually useful but everything worked even though we have overlapping IDs (which TrueNas Scale complains about). Helpful Link: https://www.freeipa.org/page/Howto/Integrating_Dell_EMC_Unity On Tue, Oct 3, 2023 at 5:23 AM Francis Augusto Medeiros-Logeay via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > >> On 3 Oct 2023, at 11:50, Alexander Bokovoy <abokovoy(a)redhat.com <mailto:abokovoy@redhat.com>> wrote: >> >> On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>> >>> >>>> On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >>>> >>>> On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares with kerberos? >>>>> >>>>> I manage to mount the shares, the folder seems to have the right permissions, but I get permission denied when trying to access the folder. >>>>> >>>>> I am trying from a Fedora 37 client. >>>>> >>>>> As this is potentially off-topic, I’d be glad to take the discussion off-list. >>>>> >>>> >>>> That's a very interesting subject. Just today we started looking at the same thing. >>>> I have no idea yet how to do this, so I too would like to know if somebody has succeeded to set this up. >>>> -- >>>> Kees >>> >>> Great! If it is ok with you, please keep in touch to share how/what you >>> accomplish. >>> >>> Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem >>> a few versions ago where the tickets wouldn’t be renewed. It is fixed >>> now. So users and groups work. >>> >>> The issue with TrueNAS, as I see it, is the idmapd configuration. >>> >>> But I think we start to be very off topic, so don’t hesitate to mail me >>> directly if you want to discuss this. >> >> I think it can be discussed here, no problem. > > Thank you, I really appreciate this, since this is a thing I’ve been working on for quite sometime, so it is really nice to have other eyes on it. > >> My understanding is that TrueNAS Scale uses Debian as its base. It also >> uses Samba components for both client (users/groups identities) >> integration and server (SMB shares) integration. For SMB-related >> configuration one can have a pretty decent setup with Samba-driven >> identity management, so you can define idmap ranges, plugins, etc. >> >> For NFS case, I don't see them defining any idmapd config. If winbindd >> is in use already and those users/groups are provided through nsswitch, >> then default idmapd.conf configuration should work just fine because >> it'll do UID <-> kerberos principal name translation using nsswitch. > > One of my pproblems is that I have a realm which is IPA.LOCAL. But my machines are machine.local. I believe that in such situations I need to define the Local-Realms attribute of the idmapd.conf, but that isn’t possible on the gui. So what happens is that when I change that on the /etc/idmapd.conf of TrueNAS, the permissions seem to be fine, but I still can’t access the folder. And after a few minutes, the idmapd.conf of TrueNAS gets overwritten and my permissions get messes up again, and then the folders are owned by nobody:nobody. > > But even when the permissions are right, I still can’t access the folder. I think it might be the ACL on TrueNAS side, but I tried with all types of ACL to no avail. > > Best, > > Francis > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue