Hi, We have problems with authorization to the nfs mounted share with sec=krb5 in multi domain AD forest environment.
When server, client and user are from the same native domain, user’s login,nfs+krb mount and access to nfs mounted share works fine. ser...@nat.c.example.com cli...@nat.c.example.com use...@nat.c.example.com When user is from another domain, login(via ssh, GUI) and nfs+krb mount works; User gets ‘Permission denied ‘ to the nfsshare for rw ser...@nat.c.example.com cli...@nat.c.example.com use...@adm.c.example.com AD user test accounts (user-n, user-a) have Posix attributes ; AD groups for Posix enabled users have Posix gids; Test users are members of universal group usr-sdu-...@c.example.com; SSSD is configured identically on client and server: [sssd] domains = nat.c.example.com config_file_version = 2 services = nss, pam [pam] pam_verbosity = 3 debug_level = 9 [domain/nat.c.example.com] debug_level = 9 ad_domain = nat.c.example.com ad_hostname = host.nat.c.example.com krb5_realm = NAT.C.EXAMPLE.COM #cache_credentials = True id_provider = ad access_provider = ad chpass_provider = ad auth_provider = ad # krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False #use_fully_qualified_names = True fallback_homedir = /home-local/%d/%u ldap_user_principal = userPrincipalName ------ On client machine , in the “Permission denied” session, all AD groups, ids are shown correctly using id, getent ; Obviousely configuring nfs idmaping requires special attention in multi domain trust ( doesn’t seem trivial using UMICH method!). May be some other AD specifics should be considered as well . In the SSSD documentation is mentioned PAC service. Here come my questions: Do we need PAC service enabled to get properly resolved AD groups in Kerberos context between domains? IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to integrate SSSD plugin nfsidmap_sss.so introduced first in 1.12.1? Best, Longina
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users