grumble grumble. Do you know a bug ID or something similar i can search on? FWIW, FreeIPA server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a fix easier. :/
d:s =================================== *Daniel Shown,* Linux Systems Administrator Advanced Technology Group Information Technology Services <http://www.slu.edu/its> at Saint Louis University <http://www.slu.edu/>. 314-977-2583 =================================== "The aim of education is the knowledge, not of facts, but of values." — William S. Burroughs "I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions." — Seymour R. Cray On Mon, Aug 11, 2014 at 1:51 PM, Alexander Bokovoy <[email protected]> wrote: > On Mon, 11 Aug 2014, Daniel Shown wrote: > >> I’m trying to get a client to respect an NFS4 ACL for a directory. I’ve >> got >> users in FreeIPA that match a subset of users in AD. The NFS server is a >> FreeBSD box that I’ve got config’ed to use FreeIPA as an LDAP service in >> nsswitch for providing uids. I use setfacl there with just the uid. The >> FreeIPA client with the NFS mount (not kerberized) is an Ubuntu 14.04 >> bound >> to a FreeIPA 3.0 server (running on CentOS 6.5). I’ve got the FreeIPA 3.0 >> server configured with a trust with an AD domain. My krb5.conf has >> dns_lookup_kdc >> = true and auth_to_local = RULE:[1:$1@ >> $0](^.*@AD.DOMAIN$)s/@AD.DOMAIN/@ad.domain/ and my sssd.conf has the >> standard subdomains_provider = ipa and services = ..., pac along with >> a full_name_format >> = %1$s to strip the realm name off when displaying the username. From what >> I understand about NFS ACLs, they should respect the uid reported, which >> matches, and ignore uidnumbers (which don’t match). From the FreeIPA >> client >> I can authenticate as an AD user, but I still don’t have access to the NFS >> directory with ACLs that should allow me to read. When I do an getfacl on >> the NFS server I get just the uid, but when I do nfs4_getfacl on the >> FreeIPA/NFS client I get [email protected] (and no access to the directory). >> >> Am I missing something? >> > There is a bug in NFS ID mapping code that prevents this use case from > working. It should be fixed in recent libnsfidmap releases but I'm not > sure it is already available in CentOS 6.5. > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
