Re: [Freeipa-users] Freeipa-users Digest, Vol 90, Issue 9

2016-01-05 Thread Rob Crittenden 
BlueBolt wrote:
> Wow, that's fairly horrifying stuff, Rob.  All of my NFS servers (and
> current ldap-auth'd clients, which are not migrated to ipa-client) are
> constrained to nfs3.  I have no plans to v4 any of my nfs infrastructure
> apart from one server eventually which will serve mostly Macs for acl
> richness.  At any rate:
> 
> "To use GSS-Proxy with the NFS server you need a recent enough kernel.
> Anything more recent than 3.10 should work just fine."
> 
> Servers are CentOS6 and Nexenta where they'll remain for the foreseeable
> future.
> 
> Surely this is anticipated somewhere in the ipa/sssd universe allowing
> autofs to act in some autonomous way as it does currently with ldap backend?

I think you're confusing things. This doesn't remove any existing
behavior. You can still use ldap auth against autofs if you want, and
that is the default in ipa-client-automount using the host credentials.

But that isn't what you originally asked about. You asked about the
mounts themselves requiring Kerberos security. If you want want Kerberos
in the NFS mounts there is more pain in EL 6 than in EL 7. The typical
workaround is to use a keytab.

We can only move the earth so much at a time.

rob

> 
> thank you,
> 
> - cal sawyer
> 
> Date: Mon, 4 Jan 2016 14:07:40 -0500
>> From: Rob Crittenden >
>> To: Cal Sawyer >,
>> freeipa-users@redhat.com 
>> Subject: Re: [Freeipa-users] IPA, autofs, kerberos
>> Message-ID: <568ac2fc.6080...@redhat.com
>> >
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Cal Sawyer wrote:
>>> Hi
>>>
>>> After getting autofs working using automountmaps in IPA, i've discovered
>>> that upon rebooting a client i have no automounts.  If i ssh into the
>>> client and obtain a ticket as admin, after restarting autofs (as root),
>>> I can once again see access automounted directories.  Until then, user
>>> logins which depend on network home mount consistently fail
>>>
>>> Question is, how can this be made automatic on reboot?
>>
>> Credentials are needed to do the mounts so it depends on what
>> credentials you want/need to use for that. What mounts are these that
>> require Kerberos, home directories or something else?
>>
>> GSS-Proxy can do this unattended,
>> https://fedorahosted.org/gss-proxy/wiki/NFS
>>
>> rob
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa-users Digest, Vol 90, Issue 9

2016-01-05 Thread BlueBolt 
Wow, that's fairly horrifying stuff, Rob.  All of my NFS servers (and current 
ldap-auth'd clients, which are not migrated to ipa-client) are constrained to 
nfs3.  I have no plans to v4 any of my nfs infrastructure apart from one server 
eventually which will serve mostly Macs for acl richness.  At any rate:
"To use GSS-Proxy with the NFS server you need a recent enough kernel. Anything 
more recent than 3.10 should work just fine."

Servers are CentOS6 and Nexenta where they'll remain for the foreseeable future.

Surely this is anticipated somewhere in the ipa/sssd universe allowing autofs 
to act in some autonomous way as it does currently with ldap backend?

thank you,

- cal sawyer

> Date: Mon, 4 Jan 2016 14:07:40 -0500
> From: Rob Crittenden 
> To: Cal Sawyer , freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA, autofs, kerberos
> Message-ID: <568ac2fc.6080...@redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Cal Sawyer wrote:
>> Hi
>> 
>> After getting autofs working using automountmaps in IPA, i've discovered
>> that upon rebooting a client i have no automounts.  If i ssh into the
>> client and obtain a ticket as admin, after restarting autofs (as root),
>> I can once again see access automounted directories.  Until then, user
>> logins which depend on network home mount consistently fail
>> 
>> Question is, how can this be made automatic on reboot?
> 
> Credentials are needed to do the mounts so it depends on what
> credentials you want/need to use for that. What mounts are these that
> require Kerberos, home directories or something else?
> 
> GSS-Proxy can do this unattended,
> https://fedorahosted.org/gss-proxy/wiki/NFS
> 
> rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project