Hi everyone, I'm currently setting up a FreeIPA based central repository for our small business (few users, but a number of VMs and attached services) with 3 IPA servers. As we are a Linux-centric company, FreeIPA seems to be a good fit for our use.
Everything seems to work expected, except regarding our Synology NAS and its NFSv4 shares. If I don’t set the automount to use Kerberos (no ‘-sec=krb5’ parameter), the NFS share works without a itch. But if I do, it seems that said NAS doesn’t to manage Kerberos well. Every time I try to connect a client to a NFS share, DSM more or less hang-up with a svcgssd process pegging up at 100% CPU. The webui lock-up, most of the command-line stop working properly, etc. This appears to be a relatively well-known issue with svcgssd as noted here for example: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654 https://linux-nfs.vger.kernel.narkive.com/rpgli1dr/question-re-no-auth-data-required The fix seems relatively simple, as I just need to set the "no_auth_data_required" setting on the affected Kerberos principal on the FreeIPA side. The problem is, how do I do this? For a standalone KDC server, it looks like this command should do the trick: → kadmin -p "[email protected]" modify_principal +no_auth_data_required "nfs/[email protected]" But from what I understand, using kadmin directly with FreeIPA is not an option. But how to set "no_auth_data_required" option with FreeIPA is not clear to me. Can anyone direct me to a solution? For reference: → The NAS is a Synology RS2421RP+ running DSM 7.2-64570 Update 3 (the latest). Its kernel is 4.4.302+ → We are running FreeIPA 4.10.1 → The 3 FreeIPA server run on Rocky Linux 9.2 → The current test client is a Rocky Linux 8.7 VM, but we have a variety of Linux flavor in our environment. → We do not have an Active Directory server and do not plan to add one. → This FreeIPA deployment is still at an early stage of deployment. → I have no previous experience with FreeIPA, LDAP or Kerberos, nor with AD. Regards, Julien Fremont _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
