Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <LDAP user> ALL=(ALL:ALL) NOPASSWD: /bin/mount,/bin/umount,/sbin/mount.nfs,/sbin/mount.nfs4
- 127.0.0.1 localhost
- # The following lines are desirable for IPv6 capable hosts
- ::1 ip6-localhost ip6-loopback
- fe00::0 ip6-localnet
- ff00::0 ip6-mcastprefix
- ff02::1 ip6-allnodes
- ff02::2 ip6-allrouters
- 192.168.1.1 server.stagenfs.fr server
- 192.168.1.1 stagenfs.fr
- 192.168.1.2 host1.stagenfs.fr host1
- 192.168.1.100 host2.stagenfs.fr host2
- # /etc/nsswitch.conf
- #
- # Example configuration of GNU Name Service Switch functionality.
- # If you have the `glibc-doc-reference' and `info' packages installed, try:
- # `info libc "Name Service Switch"' for information about this file.
- passwd: compat systemd sss
- group: compat systemd sss
- shadow: compat sss
- gshadow: files
- hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
- networks: files
- protocols: db files
- services: db files sss
- ethers: db files
- rpc: db files
- netgroup: nis sss
- sudoers: files sss
- [General]
- Verbosity = 5
- Pipefs-Directory = /run/rpc_pipefs
- # set your own domain here, if it differs from FQDN minus hostname
- Domain = stagenfs.fr
- Local-Realms = STAGENFS.FR
- [Mapping]
- Nobody-User = nobody
- Nobody-Group = nogroup
- [Translation]
- #Method = nsswitch
- Method = static
- GSS-Methods = static
- #Method = umich_ldap,nsswitch
- #GSS-Methods = umich_ldap
- #Method = sss
- [Static]
- #nfs/host1.stagenfs.fr@STAGENFS.FR = alice
- #nfs/host1@STAGENFS.FR = alice
- #nfs/host2@STAGENFS.FR = alice
- alice@STAGENFS.FR = alice
- #[UMICH_SCHEMA]
- #LDAP_server = server.stagenfs.fr
- #LDAP_base = ou=tl
- #LDAP_use_ssl = true
- #LDAP_ca_cert = /etc/ssl/certs/cacert.pem
- #NFSV4_person_objectclass = posixaccount
- #NFSV4_name_attr = uid
- STATDOPTS=
- # Do you want to start the gssd daemon? It is required for Kerberos mounts.
- NEED_GSSD="yes"
- NEED_IDMAPD="yes"
- # Number of servers to start up
- RPCNFSDCOUNT=8
- # Runtime priority of server (see nice(1))
- RPCNFSDPRIORITY=0
- RPCMOUNTDOPTS="--manage-gids"
- # Do you want to start the svcgssd daemon? It is only required for Kerberos
- # exports. Valid alternatives are "yes" and "no"; the default is "no".
- NEED_SVCGSSD="yes"
- # Options for rpc.svcgssd.
- RPCSVCGSSDOPTS=""
- [sssd]
- debug_level = 0xFFF0
- config_file_version = 2
- services = nss,pam
- domains = STAGENFS.FR
- [nss]
- debug_level = 0xFFF0
- filter_users = root
- filter_groups = root
- [pam]
- debug_level = 10
- offline_credentials_expiration = 1
- [domain/STAGENFS.FR]
- debug_level = 0xFFF0
- ldap_schema = rfc2307
- ldap_search_base = ou=tl
- id_provider = ldap
- auth_provider = krb5
- chpass_provider = krb5
- access_provider = ldap
- ldap_sasl_mech = GSSAPI
- ldap_krb5_keytab = /etc/krb5.keytab
- ldap_access_order = filter
- ldap_access_filter = &(objectClass=posixAccount) (uidNumber=*)
- ldap_uri = ldaps://server.stagenfs.fr
- ldap_referrals = False
- ldap_id_use_start_tls = False
- cache_credentials = False
- account_cache_expiration = 1
- enumerate = True
- ldap_default_bind_dn = cn=proxyuser,ou=private,ou=tl
- ldap_default_authtok_type = password
- ldap_default_authtok = ProxyUser123#
- ldap_tls_cacert = /etc/ssl/certs/cacert.pem
- krb5_realm = STAGENFS.FR
- krb5_canonicalize = False
- krb5_server = server.stagenfs.fr
- krb5_kpasswd = server.stagenfs.fr
- krb5_ccachedir = /home/tl/%u
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=user
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: calling nsswitch->uid_to_name
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: final return value is 0
- Aug 2 10:05:57 host2 rpc.idmapd[470]: Server : (user) id "0" -> name "root@stagenfs.fr"
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=group
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: calling nsswitch->gid_to_name
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
- Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: final return value is 0
- Aug 2 10:05:57 host2 rpc.idmapd[470]: Server : (group) id "0" -> name "root@stagenfs.fr"
- alice@host1:~$ sudo mount -vvv -t nfs4 -o proto=tcp,port=2049,sec=krb5p host2:/users /mnt
- mount.nfs4: timeout set for Thu Aug 2 10:07:58 2018
- mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.100,clientaddr=192.168.1.2'
- alice@host1:~$ ldapwhoami
- SASL/GSSAPI authentication started
- SASL username: alice@STAGENFS.FR
- SASL SSF: 56
- SASL data security layer installed.
- dn:uid=alice,ou=people,ou=tl
- alice@host1:~$ klist
- Ticket cache: FILE:/home/tl/alice/krb5_25002
- Default principal: alice@STAGENFS.FR
- Valid starting Expires Service principal
- 02/08/2018 10:57:40 02/08/2018 20:57:40 krbtgt/STAGENFS.FR@STAGENFS.FR
- renew until 03/08/2018 10:57:40
- 02/08/2018 10:57:56 02/08/2018 20:57:40 ldap/server.stagenfs.fr@STAGENFS.FR
- renew until 03/08/2018 10:57:40
- alice@host1:~$ klist -c /tmp/krb5ccmachine_STAGENFS.FR
- klist: Credentials cache permissions incorrect (filename: /tmp/krb5ccmachine_STAGENFS.FR)
- alice@host1:~$
- root@host1:~# klist -c /tmp/krb5ccmachine_STAGENFS.FR
- Ticket cache: FILE:/tmp/krb5ccmachine_STAGENFS.FR
- Default principal: host/host1.stagenfs.fr@STAGENFS.FR
- Valid starting Expires Service principal
- 02/08/2018 10:01:07 02/08/2018 20:01:07 krbtgt/STAGENFS.FR@STAGENFS.FR
- renew until 03/08/2018 10:01:07
- 02/08/2018 10:01:07 02/08/2018 20:01:07 nfs/host2.stagenfs.fr@STAGENFS.FR
- renew until 03/08/2018 10:01:07
- root@host1:~# klist -k /etc/krb5.keytab
- Keytab name: FILE:/etc/krb5.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 2 ldap/server.stagenfs.fr@STAGENFS.FR
- 2 ldap/server.stagenfs.fr@STAGENFS.FR
- 2 host/server.stagenfs.fr@STAGENFS.FR
- 2 host/server.stagenfs.fr@STAGENFS.FR
- 2 host/host1.stagenfs.fr@STAGENFS.FR
- 2 host/host1.stagenfs.fr@STAGENFS.FR
- 2 host/host2.stagenfs.fr@STAGENFS.FR
- 2 host/host2.stagenfs.fr@STAGENFS.FR
- 2 nfs/host2.stagenfs.fr@STAGENFS.FR
- 2 nfs/host2.stagenfs.fr@STAGENFS.FR
Add Comment
Please, Sign In to add comment