On Аўт, 26 вер 2023, Julien Fremont via FreeIPA-users wrote:
Hi everyone,
I'm currently setting up a FreeIPA based central repository for our
small business (few users, but a number of VMs and attached services)
with 3 IPA servers. As we are a Linux-centric company, FreeIPA seems to
be a good fit for our use.
Everything seems to work expected, except regarding our Synology NAS
and its NFSv4 shares. If I don’t set the automount to use Kerberos (no
‘-sec=krb5’ parameter), the NFS share works without a itch. But if I
do, it seems that said NAS doesn’t to manage Kerberos well. Every time
I try to connect a client to a NFS share, DSM more or less hang-up with
a svcgssd process pegging up at 100% CPU. The webui lock-up, most of
the command-line stop working properly, etc.
This appears to be a relatively well-known issue with svcgssd as noted
here for example:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654
https://linux-nfs.vger.kernel.narkive.com/rpgli1dr/question-re-no-auth-da...
The fix seems relatively simple, as I just need to set the
"no_auth_data_required" setting on the affected Kerberos principal on
the FreeIPA side. The problem is, how do I do this?
For a standalone KDC server, it looks like this command should do the
trick:
→ kadmin -p "admin(a)INTERNAL.DOMAIN.ORG" modify_principal +no_auth_data_required
"nfs/nas.domain.tld(a)INTERNAL.DOMAIN.ORG"
But from what I understand, using kadmin directly with FreeIPA is not
an option. But how to set "no_auth_data_required" option with FreeIPA
is not clear to me. Can anyone direct me to a solution?
You should not be using anything like that with FreeIPA. The default is
already set for NFS services to not issue PAC.
$ ipa help config-mod |grep -A1 pac-type
--pac-type=['MS-PAC', 'PAD', 'nfs:NONE']
Default types of PAC supported for services
By default we already have it set to NONE:
$ ipa config-show |grep 'PAC type'
Default PAC types: MS-PAC, nfs:NONE
For individual service you can do it explicitly:
$ ipa help service-mod |grep -A3 pac-type
--pac-type=['MS-PAC', 'PAD', 'NONE']
Override default list of supported PAC types. Use
'NONE' to disable PAC support for this service, e.g.
this might be necessary for NFS services.
$ ipa service-mod nfs/nas.domain.tld --pac-type=NONE
But as I said, the default one should just work.
Can you please show your NFS service principal entry output?
ipa service-show nfs/nas.domain.tld
For reference:
→ The NAS is a Synology RS2421RP+ running DSM 7.2-64570 Update 3 (the latest). Its kernel
is 4.4.302+
→ We are running FreeIPA 4.10.1
→ The 3 FreeIPA server run on Rocky Linux 9.2
→ The current test client is a Rocky Linux 8.7 VM, but we have a variety of Linux flavor
in our environment.
→ We do not have an Active Directory server and do not plan to add one.
→ This FreeIPA deployment is still at an early stage of deployment.
→ I have no previous experience with FreeIPA, LDAP or Kerberos, nor with AD.
Regards,
Julien Fremont
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland