NFS, autofs, and kerberos principals
Okay, so I have an IPA realm set up, using external DNS. I built an NFS server, joined it to the realm, and added the nfs service principle and keytab to the IPA server. I created the exports file and configured my firewall for NFS. I set up automount maps on the IPA server (the maps are in /etc/auto.master and auto.direct, and the automap "keys" have been added to IPA realm).
I am having trouble with the IPA server not mounting the exports from the NFS server...it mounts the root export with the mount command, but not the additional exports below the root. When I use the 'mount' command from the IPA server, the NFS server log says that it authenticated a request to mount, but the IPA server says it was denied access. I am trying to use NFSv4 with krp5p (preferably). I got sec=sys running for a while, but then that stopped working while I was trying to get the kerberos realm authentication working. I haven't gotten automount maps working across the net yet (although I did get autofs working on the NFS server itself).
Do I need to have IPA realm users added before I can (auto)mount NFS shares? I do not have any IPA users configured yet beside the default admin. How do I (auto)mount a share using a kerberos ticket rather than just as root user?
Do I need to have HBAC rules or service principals added for clients of services? Do I need a service principal keytab on every NFS client machine?
Do I need to have HBAC rules or service principals added for users, so they can access NFSv4 shares (krb5*) mounted with autofs?
Pardon me if some of these questions seem clueless. This is my first deep dive into the IPA/IdM realm...it'll click eventually.
|