Thanks for your answer-you sound very sceptic so I would be very happy if you can deepen
your meaning;
Is my goal possible to achieve, is this the right strategy?? -
to integrate Linux into AD with SSSD , NFS mounted homedir with Kerberos security, cross
realm authentication,
with Posix attributes for user/group objects in AD .
I have to mention that my boss supports me, and my MS-admin colleagues have a positive
attitude for the project.
Best,
Longina
Mange hilsner
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
bounces(a)lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 19. januar 2015 21:51
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] idmaping, nfs4krb, AD multi domain forest
On Fri, Jan 16, 2015 at 02:34:19PM +0000, Longina Przybyszewska wrote:
>
> Hi,
> We have problems with authorization to the nfs mounted share with
sec=krb5 in multi domain AD forest environment.
>
> When server, client and user are from the same native domain, user’s
login,nfs+krb mount and access to nfs mounted share works fine.
> server(a)nat.c.example.com
> client(a)nat.c.example.com
> user-n(a)nat.c.example.com
>
> When user is from another domain, login(via ssh, GUI) and nfs+krb
> mount works; User gets ‘Permission denied ‘ to the nfsshare for rw
> server(a)nat.c.example.com client(a)nat.c.example.com
> user-a(a)adm.c.example.com
>
> AD user test accounts (user-n, user-a) have Posix attributes ; AD
> groups for Posix enabled users have Posix gids;
>
> Test users are members of universal group usr-sdu-glu(a)c.example.com;
>
> SSSD is configured identically on client and server:
>
>
> [sssd]
> domains =
nat.c.example.com
> config_file_version = 2
> services = nss, pam
>
> [pam]
> pam_verbosity = 3
> debug_level = 9
>
> [
domain/nat.c.example.com]
>
> debug_level = 9
> ad_domain =
nat.c.example.com
> ad_hostname =
host.nat.c.example.com
> krb5_realm =
NAT.C.EXAMPLE.COM
> #cache_credentials = True
> id_provider = ad
> access_provider = ad
> chpass_provider = ad
> auth_provider = ad
> #
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> use_fully_qualified_names = False
> #use_fully_qualified_names = True
> fallback_homedir = /home-local/%d/%u
> ldap_user_principal = userPrincipalName
>
> ------
> On client machine , in the “Permission denied” session, all AD groups,
> ids are shown correctly using id, getent ;
>
> Obviousely configuring nfs idmaping requires special attention in multi
domain trust ( doesn’t seem trivial using UMICH method!).
> May be some other AD specifics should be considered as well .
I don't know enough about NFSv4 + Kerberos to assess whether there is
some gotcha in that part of configuration, but I'll try to answer the rest..
>
> In the SSSD documentation is mentioned PAC service.
> Here come my questions:
>
> Do we need PAC service enabled to get properly resolved AD groups in
Kerberos context between domains?
No. Also above you said that all groups are resolved correctly. Isn't that the
case?
>
> IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to integrate
SSSD plugin nfsidmap_sss.so introduced first in 1.12.1?
If you compile the plugin yourself, then yes. I'm not sure if it wold help you,
though.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users