8:25 a.m.
Hi everyone,
I'm currently setting up a FreeIPA based central repository for our small business
(few users, but a number of VMs and attached services) with 3 IPA servers. As we are a
Linux-centric company, FreeIPA seems to be a good fit for our use.
Everything seems to work expected, except regarding our Synology NAS and its NFSv4 shares.
If I don’t set the automount to use Kerberos (no ‘-sec=krb5’ parameter), the NFS share
works without a itch. But if I do, it seems that said NAS doesn’t to manage Kerberos well.
Every time I try to connect a client to a NFS share, DSM more or less hang-up with a
svcgssd process pegging up at 100% CPU. The webui lock-up, most of the command-line stop
working properly, etc.
This appears to be a relatively well-known issue with svcgssd as noted here for example:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654
https://linux-nfs.vger.kernel.narkive.com/rpgli1dr/question-re-no-auth-da...
The fix seems relatively simple, as I just need to set the
"no_auth_data_required" setting on the affected Kerberos principal on the
FreeIPA side. The problem is, how do I do this?
For a standalone KDC server, it looks like this command should do the trick:
→ kadmin -p "admin(a)INTERNAL.DOMAIN.ORG" modify_principal +no_auth_data_required
"nfs/nas.domain.tld(a)INTERNAL.DOMAIN.ORG"
But from what I understand, using kadmin directly with FreeIPA is not an option. But how
to set "no_auth_data_required" option with FreeIPA is not clear to me. Can
anyone direct me to a solution?
For reference:
→ The NAS is a Synology RS2421RP+ running DSM 7.2-64570 Update 3 (the latest). Its kernel
is 4.4.302+
→ We are running FreeIPA 4.10.1
→ The 3 FreeIPA server run on Rocky Linux 9.2
→ The current test client is a Rocky Linux 8.7 VM, but we have a variety of Linux flavor
in our environment.
→ We do not have an Active Directory server and do not plan to add one.
→ This FreeIPA deployment is still at an early stage of deployment.
→ I have no previous experience with FreeIPA, LDAP or Kerberos, nor with AD.
Regards,
Julien Fremont