Hi Everyone,
I am trying to do the following and haven't been able to find a resource on it so I wanted to know if it's even possible.
Here is what I want to be able to do.
1. ssh to server (I have and AD credentials check working with sssd already)
2. automount a directory from a NAS on ssh login with sssd. What I would like to be able to use is an auto.master file and an auto.data file to do this and have the credentials provided via sssd. I was able to get this to work without sssd (i.e just autofs and a credential file already), But the server is going to be accessed by many users, so a credentials file isn't the way to go about it.
Thanks,
Thomas
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
- ssh to server (I have and AD credentials check working with sssd
already)
- automount a directory from a NAS on ssh login with sssd. What I would
like to be able to use is an auto.master file and an auto.data file to do this and have the credentials provided via sssd. I was able to get this to work without sssd (i.e just autofs and a credential file already), But the server is going to be accessed by many users, so a credentials file isn't the way to go about it.
NFS/CIFS with sec=krb5. User logs in either with a delegated kerberos credential, or with a username and password.
autofs mounts a path with sec=krb5, and the user accessing it presents their credential seamlessly for authentication.
NAS box would need to support kerberos for CIFS/NFS.
jh
Hi John,
Thanks for answering.
Adding sec=krb5 to my auto.data file automounted the directory.
I noticed that the group and owner of the mounted directory is root. Would you know how to get the proper ones (from the NAS itself).
Thanks, Thomas
________________________________________ From: John Hodrien J.H.Hodrien@leeds.ac.uk Sent: Tuesday, August 23, 2016 11:23 AM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
- ssh to server (I have and AD credentials check working with sssd
already)
- automount a directory from a NAS on ssh login with sssd. What I would
like to be able to use is an auto.master file and an auto.data file to do this and have the credentials provided via sssd. I was able to get this to work without sssd (i.e just autofs and a credential file already), But the server is going to be accessed by many users, so a credentials file isn't the way to go about it.
NFS/CIFS with sec=krb5. User logs in either with a delegated kerberos credential, or with a username and password.
autofs mounts a path with sec=krb5, and the user accessing it presents their credential seamlessly for authentication.
NAS box would need to support kerberos for CIFS/NFS.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Thanks for answering.
Adding sec=krb5 to my auto.data file automounted the directory.
I noticed that the group and owner of the mounted directory is root. Would you know how to get the proper ones (from the NAS itself).
It's all sorted via the idmapper, but I can't speak for how your NAS works. I'd check the documentation provided from your vendor.
/etc/idmapd.conf
Domain/Local-Realms are the important bits, and they need to suitably match client and server.
jh
Hi John,
Are you sure i have to configure idmapd? My NAS has windows samba shares.
Thanks, Thomas ________________________________________ From: John Hodrien J.H.Hodrien@leeds.ac.uk Sent: Tuesday, August 23, 2016 12:15 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Thanks for answering.
Adding sec=krb5 to my auto.data file automounted the directory.
I noticed that the group and owner of the mounted directory is root. Would you know how to get the proper ones (from the NAS itself).
It's all sorted via the idmapper, but I can't speak for how your NAS works. I'd check the documentation provided from your vendor.
/etc/idmapd.conf
Domain/Local-Realms are the important bits, and they need to suitably match client and server.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
If you are using Netapp, then it is pointless to use CIFS as Netapp can speak NFS, too. Usage of Idmapper depends on NFS version you use, NFSv3 does not require Idmapper but since you talk about Kerberos, you most likely use NFSv4 which does.
O.
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, August 24, 2016 10:05 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Are you sure i have to configure idmapd? My NAS has windows samba shares.
If it's CIFS, then you probably want to look at:
man mount.cifs
Particularly:
cifsacl multiuser
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Hi Ondrej,
Thanks for the input. So i will try nfs. Would you know how to make it work so the group and owner of the shares show up correctly after the mount?
Thanks! Thomas ________________________________________ From: Ondrej Valousek Ondrej.Valousek@s3group.com Sent: Wednesday, August 24, 2016 4:26 AM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: autofs question
If you are using Netapp, then it is pointless to use CIFS as Netapp can speak NFS, too. Usage of Idmapper depends on NFS version you use, NFSv3 does not require Idmapper but since you talk about Kerberos, you most likely use NFSv4 which does.
O.
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, August 24, 2016 10:05 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Are you sure i have to configure idmapd? My NAS has windows samba shares.
If it's CIFS, then you probably want to look at:
man mount.cifs
Particularly:
cifsacl multiuser
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi guys,
I'm still stuck on this. I'd be willing to give a $50 gift card to someone who can help. I found out that my netapp uses NFSv3.
Thanks, Thomas ________________________________________ From: Thomas Beaudry Sent: Wednesday, August 24, 2016 11:26 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Re: autofs question
Hi Ondrej,
Thanks for the input. So i will try nfs. Would you know how to make it work so the group and owner of the shares show up correctly after the mount?
Thanks! Thomas ________________________________________ From: Ondrej Valousek Ondrej.Valousek@s3group.com Sent: Wednesday, August 24, 2016 4:26 AM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: autofs question
If you are using Netapp, then it is pointless to use CIFS as Netapp can speak NFS, too. Usage of Idmapper depends on NFS version you use, NFSv3 does not require Idmapper but since you talk about Kerberos, you most likely use NFSv4 which does.
O.
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, August 24, 2016 10:05 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Are you sure i have to configure idmapd? My NAS has windows samba shares.
If it's CIFS, then you probably want to look at:
man mount.cifs
Particularly:
cifsacl multiuser
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
oh and I'm using a netapp ________________________________________ From: John Hodrien J.H.Hodrien@leeds.ac.uk Sent: Tuesday, August 23, 2016 12:15 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Thanks for answering.
Adding sec=krb5 to my auto.data file automounted the directory.
I noticed that the group and owner of the mounted directory is root. Would you know how to get the proper ones (from the NAS itself).
It's all sorted via the idmapper, but I can't speak for how your NAS works. I'd check the documentation provided from your vendor.
/etc/idmapd.conf
Domain/Local-Realms are the important bits, and they need to suitably match client and server.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi,
Sorry for the double post of my original email - my mail server is acting very funny.
Have a nice day, Thomas ________________________________________ From: John Hodrien J.H.Hodrien@leeds.ac.uk Sent: Tuesday, August 23, 2016 12:15 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: autofs question
On Tue, 23 Aug 2016, Thomas Beaudry wrote:
Hi John,
Thanks for answering.
Adding sec=krb5 to my auto.data file automounted the directory.
I noticed that the group and owner of the mounted directory is root. Would you know how to get the proper ones (from the NAS itself).
It's all sorted via the idmapper, but I can't speak for how your NAS works. I'd check the documentation provided from your vendor.
/etc/idmapd.conf
Domain/Local-Realms are the important bits, and they need to suitably match client and server.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org