The nfs export on the nfs server is:

/export/daten *(rw,fsid=0,sec=krb5:krb5i:krb5p)

François Cami <fcami@redhat.com> hat am 18. März 2020 um 19:19 geschrieben:


On Wed, Mar 18, 2020 at 7:07 PM Markus Roth <markus@die5roths.de> wrote:
>

Hi François,

I was able to achieve a small success with manual mounting. Instead of the following mount command:

mount -t nfs4 -o sec=krb5 nfs-server.example.com:/ /<mountpoint>

I changed this up to:

mount -t nfs4 -o sec=krb5i nfs-server.example.com:/ /<mountpoint>

If this works, how is the NFS file system exported in the first place?
This smells like it's exported krb5i-only, or krb5i+krb5p-only, not krb5.

See:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/s1-nfs-client-config-options
for an explanation of the difference.

with that at least every user can access all directories and files from the workstation's mountpoint.

I will create the necessary log files and make them, as soon as possible, available.

>

Markus Roth

François Cami <fcami@redhat.com> hat am 18. März 2020 um 18:53 geschrieben:

>

Hi,

On Wed, Mar 18, 2020 at 4:37 PM Markus Roth via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
>

Hi Daniel,

thanks for pointing out the faulty mounting options. I changed it, but the nfs share is not still mounted.

I also checked IPA service principal for NFS and both server and client principals exists. I delete all configurations and setup this step by step as described at redhat doc again.

>

Can you show how your automount entries look like in LDAP?
We also need sssd debug logs. Put debug level to 6 or more, restart
sssd and trigger the issue again.

Thank you,
François

Regards / Mit freundlichen Grüßen,

Markus Roth

dbischof@hrz.uni-kassel.de hat am 16. März 2020 um 09:23 geschrieben:

Hi Markus,

On Sun, 15 Mar 2020, Markus Roth via FreeIPA-users wrote:

I configured an automount location in my freeipa:

#>automount -m

autofs dump map information
===========================

global options: none configured
Mount point: /-

source(s):
100000000|lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
failed to read map

Mount point: /Share

source(s):

instance type(s): sss
map: auto.public

public | -fstype=nfs4,rw.sec=krb5,soft,rsize=8192,rsize=8192 nfs.example.com:/
The /etc/exports on my nfs server looks as follows:
/export/data *(rw,fsid=0,sec=krb5:krb5i:krb5p)
When I mount the nfs share with the root user on the client:

kinit <user>
mount -vvv -t nfs4 -o sec=krb5 idefix.example.com:/ /Share

The root user can access the files mounted on the /Share directory
But the <user> itself get the message:
"access denied"

automount the share on the directory failed. Nothing is mounted.

Any hints to solve this will be appreciated!

are you positively sure that you have a properly configured IPA service
principal for NFS? Last time i had this, i simply forgot that. Also, there is
a suspiciously looking dot in your mount options ("... rw.sec=krb5 ...").

Mit freundlichen Gruessen/With best regards,

--Daniel.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org