On Thu, 2017-11-30 at 14:50 -0800, Gordon Messmer via FreeIPA-users wrote: > I'm troubleshooting a problem: A local system account (daemon) needs to > access a file on an NFS4 filesystem with sec=krb5. My understanding is > that only processes which have a Kerberos ticket are able to access > files on such a filesystem, and that seems to be the case on the system > I'm troubleshooting. > > Suppose I need a keytab to identify the "daemon" user. I don't think I > want to create a new user in FreeIPA, since it would have a uid/gid that > conflict with the locally defined account. However, I think I do need a > keytab for "daemon@DOMAIN". The ipa command doesn't seem to provide a > means of creating such a principal. > > Should I work directly in kadmin to create the principal and export the > keytab? Am I even on the right track?
The reason why NFS wants to authenticate you, is to know what uig/gid it should assign to your user (on the server) to access files. So creating a user is not necessarily a bad idea... However in some NFS servers you may be able to create mappings from principals to local users. In that case you can use a SPN (Service Principal Name) and associated keytab to gain access. In freeipa only users can have a 1 component principal such as "daemon@ DOMAIN" normally. If you really just want to use a service I would first explore the possibility of mapping "daemon/hosts.f.q.d.n@REALM" to a user on the NFS server and then just create a normal service and get a keytab for in in IPA. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org