Hi all,
Just put together few findings about kerberized NFS & AD. See here: https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sssd-a...
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On 20 October 2015 at 12:33, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sssd-a...
Thanks for this, I've had another attempt to get an AD-sssd Linux client (CentOS 6.7) to connect to our Isilon cluster kerberized, but am not having much luck. When I try the mount I get:
mount.nfs: access denied by server while mounting .....
Upping idmapd verbosity to 9, I get the following: (here EXAMPLE.COM is our long domain name, where a user would be joebloggs@EXAMPLE.COM and AD.INT is the short domain name):
https://gist.github.com/jberanek/3c8a1a10704b6200dc1d
The only thing that doesn't quite fit from your guidance is that the FQDN used to access the Isilon is actually a load-balanced A record, where every time you lookup the name you get a different IP, with the different reverse lookup...
e.g..
nfs.siteb.isilon.example.com -> 10.20.30.34 -> pool-00-04.siteb.example.com
Any ideas?
Cheers,
John
Read the document carefully and try again :) IDmapper has a little to do with Kerberos. Care about the *gssd services - they handle Kerberos. RH-6.7 works nicely to me.
O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Beranek Sent: 20 October 2015 14:23 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On 20 October 2015 at 12:33, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with- sssd-and-active-directory/
Thanks for this, I've had another attempt to get an AD-sssd Linux client (CentOS 6.7) to connect to our Isilon cluster kerberized, but am not having much luck. When I try the mount I get:
mount.nfs: access denied by server while mounting .....
Upping idmapd verbosity to 9, I get the following: (here EXAMPLE.COM is our long domain name, where a user would be joebloggs@EXAMPLE.COM and AD.INT is the short domain name):
https://gist.github.com/jberanek/3c8a1a10704b6200dc1d
The only thing that doesn't quite fit from your guidance is that the FQDN used to access the Isilon is actually a load-balanced A record, where every time you lookup the name you get a different IP, with the different reverse lookup...
e.g..
nfs.siteb.isilon.example.com -> 10.20.30.34 -> pool-00-04.siteb.example.com
Any ideas?
Cheers,
John
On 20 October 2015 at 14:28, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Read the document carefully and try again :) IDmapper has a little to do with Kerberos. Care about the *gssd services - they handle Kerberos. RH-6.7 works nicely to me.
Hmm, so it *is* the DNS for the Isilon service causing the issue:
https://gist.github.com/jberanek/f9475d4c0c756ee9e9e4
[Short version: WARNING: Failed to create krb5 context for user with uid 0 for server pool00-21.siteb.isilon.example.com ]
Can't really see how to solve that and leave the Isilon load balancing in place. :(
John
Do you have the SPNs properly configured? As per the document. Thing is that if you have more servers behind a single A record, RH-6 is not going to work (details? see the document). O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Beranek Sent: 20 October 2015 14:48 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On 20 October 2015 at 14:28, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Read the document carefully and try again :) IDmapper has a little to do with Kerberos. Care about the *gssd services - they handle Kerberos. RH-6.7 works nicely to me.
Hmm, so it *is* the DNS for the Isilon service causing the issue:
https://gist.github.com/jberanek/f9475d4c0c756ee9e9e4
[Short version: WARNING: Failed to create krb5 context for user with uid 0 for server pool00-21.siteb.isilon.example.com ]
Can't really see how to solve that and leave the Isilon load balancing in place. :(
John
On 20 October 2015 at 14:53, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Do you have the SPNs properly configured? As per the document. Thing is that if you have more servers behind a single A record, RH-6 is not going to work (details? see the document).
Yes, that's the issue. The Isilon storage system in question has 32 IPs and therefore 32 A records and 32 PTR records. I don't really want to put 32 more items in the SPN...
John
Then you have 3 options, really: - Reconfigure DNS PTRs for all servers to resolve to the same name (not sure if it is gonna work, though) - Use RH-7 & FQDN - get rid of that nasty DNS based load balancing hack and use something like pNFS.
O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Beranek Sent: 20 October 2015 15:05 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On 20 October 2015 at 14:53, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Do you have the SPNs properly configured? As per the document. Thing is that if you have more servers behind a single A record, RH-6 is not going to work (details? see the document).
Yes, that's the issue. The Isilon storage system in question has 32 IPs and therefore 32 A records and 32 PTR records. I don't really want to put 32 more items in the SPN...
John
On 20 October 2015 at 15:04, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 20 Oct 2015, John Beranek wrote:
Can't really see how to solve that and leave the Isilon load balancing in place. :(
Can you explain simply how your load balacing is working?
OK, so the Isilon cluster itself provides the DNS zone:
nfs.siteb.isilon.example.com
When a client looks up this name in DNS, the Isilon gives out one of the IPs in the pool, pointing to an IP address which is hosted by one of the Isilon nodes. It can do this by a number of criteria:
* Round robin * Connection count * Network throughput * CPU usage
John
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here: https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sssd-a...
For people hosting NFS/krb5 on EL6, there certainly used to be problems if you had PAC enabled on the server for users who were members of many groups.
The solution is to disable PAC for services on that host via userAccountControl.
userAccountControl: 33624064
That then causes fun, as Samba on EL6 can't cope with PAC being disabled. Cue fun with running two AD objects per server, and merging of keytabs such that you can have PAC on Samba and not on NFS.
userAccountControl: 69632
jh
Will add this to my document, thanks. I have heard about this issue - but how many is "many groups"? I have user here with 32 groups - I do not experience any problems. O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 20 October 2015 15:07 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here: https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with- sssd-and-active-directory/
For people hosting NFS/krb5 on EL6, there certainly used to be problems if you had PAC enabled on the server for users who were members of many groups.
The solution is to disable PAC for services on that host via userAccountControl.
userAccountControl: 33624064
That then causes fun, as Samba on EL6 can't cope with PAC being disabled. Cue fun with running two AD objects per server, and merging of keytabs such that you can have PAC on Samba and not on NFS.
userAccountControl: 69632
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Will add this to my document, thanks. I have heard about this issue - but how many is "many groups"? I have user here with 32 groups - I do not experience any problems.
I'm not sure. 150 is definitely too many groups. Yes, it's definitely too many groups even without NFS. It's related to whether the PAC fits in a page AFAIK.
The other part of the fix with AD, one you have these two computer objects:
myhost myhost-nfs
ktpass -princ nfs/myhost.domain@REALM -mapuser myhost-nfs$ +rndPass -out temp.keytab -crypto ALL
That then gives you a keytab to merge into the first, so on the client it looks like a perfectly normal setup.
I don't know whether you can do this all from the linux side.
jh
Ok, thanks - page updated. AFAIK, this is NFS server problem - fortunately, we are using Netapp, so I do not worry :)
Sorry SSSD team for abusing this list...
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 20 October 2015 15:29 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Will add this to my document, thanks. I have heard about this issue - but how many is "many groups"? I have user here with 32 groups - I do not experience any problems.
I'm not sure. 150 is definitely too many groups. Yes, it's definitely too many groups even without NFS. It's related to whether the PAC fits in a page AFAIK.
The other part of the fix with AD, one you have these two computer objects:
myhost myhost-nfs
ktpass -princ nfs/myhost.domain@REALM -mapuser myhost-nfs$ +rndPass -out temp.keytab -crypto ALL
That then gives you a keytab to merge into the first, so on the client it looks like a perfectly normal setup.
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Hi, For me configuring idmapd in cross realm with SSSD and NFSv4 is challenging; Idmapd.conf manual says: An NFSv4 domain is a namespace with a unique uid<->username, gid<->usergroupname; Domain defaults to machine's domainname.
Using Method = nsswitch, I expect that idmapd request to sssd-nss would be used for mapping.
If sssd can resolve login names as short names, unique in cross realm , feks. sAMAccountName names - mapping works; In that case , Domain can be anything - it is stripped off;
If login names are resolved as fqdn in cross realm, mapping doesn’t work if computer's domain differs from user's domain. Kerberized nfs homedir is mounted but mapping to nobody/nogroup blocks user from login.
In my case NFS client machines and NFSv4 server are in the same domain; Users are from different domains. Longina
-----Oprindelig meddelelse----- Fra: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] På vegne af Ondrej Valousek Sendt: 20. oktober 2015 16:14 Til: End-user discussions about the System Security Services Daemon Emne: Re: [SSSD-users] SSSD & AD & Kerberized nfs
Will add this to my document, thanks. I have heard about this issue - but how many is "many groups"? I have user here with 32 groups - I do not experience any problems. O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 20 October 2015 15:07 To: End-user discussions about the System Security Services Daemon <sssd- users@lists.fedorahosted.org> Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
Hi all,
Just put together few findings about kerberized NFS & AD. See here: https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-
with-
sssd-and-active-directory/
For people hosting NFS/krb5 on EL6, there certainly used to be problems if you had PAC enabled on the server for users who were members of many groups.
The solution is to disable PAC for services on that host via userAccountControl.
userAccountControl: 33624064
That then causes fun, as Samba on EL6 can't cope with PAC being disabled. Cue fun with running two AD objects per server, and merging of keytabs such that you can have PAC on Samba and not on NFS.
userAccountControl: 69632
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org