On Аўт, 03 кас 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 2 Oct 2023, at 15:12, Kees Bakker via FreeIPA-users
<[email protected]> wrote:
On 02-10-2023 09:40, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
Has anyone here configured a TrueNAS joined to FreeIPA to share NFSv4 shares
with kerberos?
I manage to mount the shares, the folder seems to have the right permissions,
but I get permission denied when trying to access the folder.
I am trying from a Fedora 37 client.
As this is potentially off-topic, I’d be glad to take the discussion off-list.
That's a very interesting subject. Just today we started looking at the same
thing.
I have no idea yet how to do this, so I too would like to know if somebody has
succeeded to set this up.
--
Kees
Great! If it is ok with you, please keep in touch to share how/what you
accomplish.
Here, I have managed to join TrueNAS to FreeIPA. TrueNAS had a problem
a few versions ago where the tickets wouldn’t be renewed. It is fixed
now. So users and groups work.
The issue with TrueNAS, as I see it, is the idmapd configuration.
But I think we start to be very off topic, so don’t hesitate to mail me
directly if you want to discuss this.
I think it can be discussed here, no problem.
My understanding is that TrueNAS Scale uses Debian as its base. It also
uses Samba components for both client (users/groups identities)
integration and server (SMB shares) integration. For SMB-related
configuration one can have a pretty decent setup with Samba-driven
identity management, so you can define idmap ranges, plugins, etc.
For NFS case, I don't see them defining any idmapd config. If winbindd
is in use already and those users/groups are provided through nsswitch,
then default idmapd.conf configuration should work just fine because
it'll do UID <-> kerberos principal name translation using nsswitch.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
