On Fri, Jan 16, 2015 at 02:34:19PM +0000, Longina Przybyszewska wrote:
Hi,
We have problems with authorization to the nfs mounted share with sec=krb5 in multi
domain AD forest environment.
When server, client and user are from the same native domain, user’s login,nfs+krb mount
and access to nfs mounted share works fine.
server(a)nat.c.example.com
client(a)nat.c.example.com
user-n(a)nat.c.example.com
When user is from another domain, login(via ssh, GUI) and nfs+krb mount works; User gets
‘Permission denied ‘ to the nfsshare for rw
server(a)nat.c.example.com
client(a)nat.c.example.com
user-a(a)adm.c.example.com
AD user test accounts (user-n, user-a) have Posix attributes ;
AD groups for Posix enabled users have Posix gids;
Test users are members of universal group usr-sdu-glu(a)c.example.com;
SSSD is configured identically on client and server:
[sssd]
domains =
nat.c.example.com
config_file_version = 2
services = nss, pam
[pam]
pam_verbosity = 3
debug_level = 9
[
domain/nat.c.example.com]
debug_level = 9
ad_domain =
nat.c.example.com
ad_hostname =
host.nat.c.example.com
krb5_realm =
NAT.C.EXAMPLE.COM
#cache_credentials = True
id_provider = ad
access_provider = ad
chpass_provider = ad
auth_provider = ad
#
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
#use_fully_qualified_names = True
fallback_homedir = /home-local/%d/%u
ldap_user_principal = userPrincipalName
------
On client machine , in the “Permission denied” session, all AD groups, ids are shown
correctly using id, getent ;
Obviousely configuring nfs idmaping requires special attention in multi domain trust (
doesn’t seem trivial using UMICH method!).
May be some other AD specifics should be considered as well .
I don't know enough about NFSv4 + Kerberos to assess whether there is
some gotcha in that part of configuration, but I'll try to answer the
rest..
In the SSSD documentation is mentioned PAC service.
Here come my questions:
Do we need PAC service enabled to get properly resolved AD groups in Kerberos context
between domains?
No. Also above you said that all groups are resolved correctly. Isn't
that the case?
IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to integrate SSSD
plugin nfsidmap_sss.so introduced first in 1.12.1?
If you compile the plugin yourself, then yes. I'm not sure if it wold
help you, though.