LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Should I combine or separate IdM/FreeIPA and NFS file server? (https://www.linuxquestions.org/questions/linux-enterprise-47/should-i-combine-or-separate-idm-freeipa-and-nfs-file-server-4175580189/)

jdelaporte 05-19-2016 01:24 PM
Should I combine or separate IdM/FreeIPA and NFS file server?
 
I am migrating my domain off of NIS/NFS to FreeIPA/NFS or FreeIPA/SMB, if I can figure out how to make that work.

Should my IPA authentication server also be my file server, or should it be separate? There are strange sudoer trusts required to create home directories on a remote server in an IPA/IdM domain.

I add hundreds of users with a tight turnaround every 2-3 months, so I need something that works consistently without a lot of interaction.

tshikose 06-09-2016 03:01 PM
Hi,

You do not need to have separate servers.
To my knowledge, you do not need "strange sudoer trusts" to create home directories on a the remote servers. You can configure you server so home directory get created at user creation.

Regards,

jdelaporte 06-09-2016 11:49 PM
NFS, autofs, and kerberos principals
 
Okay, so I have an IPA realm set up, using external DNS. I built an NFS server, joined it to the realm, and added the nfs service principle and keytab to the IPA server. I created the exports file and configured my firewall for NFS. I set up automount maps on the IPA server (the maps are in /etc/auto.master and auto.direct, and the automap "keys" have been added to IPA realm).

I am having trouble with the IPA server not mounting the exports from the NFS server...it mounts the root export with the mount command, but not the additional exports below the root. When I use the 'mount' command from the IPA server, the NFS server log says that it authenticated a request to mount, but the IPA server says it was denied access. I am trying to use NFSv4 with krp5p (preferably). I got sec=sys running for a while, but then that stopped working while I was trying to get the kerberos realm authentication working. I haven't gotten automount maps working across the net yet (although I did get autofs working on the NFS server itself).

Do I need to have IPA realm users added before I can (auto)mount NFS shares? I do not have any IPA users configured yet beside the default admin. How do I (auto)mount a share using a kerberos ticket rather than just as root user?

Do I need to have HBAC rules or service principals added for clients of services? Do I need a service principal keytab on every NFS client machine?

Do I need to have HBAC rules or service principals added for users, so they can access NFSv4 shares (krb5*) mounted with autofs?

Pardon me if some of these questions seem clueless. This is my first deep dive into the IPA/IdM realm...it'll click eventually.


All times are GMT -5. The time now is 09:58 AM.