API tools faq
paste
Guest User

Untitled

a guest
Aug 2nd, 2018
178
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.04 KB | None | 0 0
raw download clone embed print report
  1. <LDAP user> ALL=(ALL:ALL) NOPASSWD: /bin/mount,/bin/umount,/sbin/mount.nfs,/sbin/mount.nfs4
  2.  
  3. 127.0.0.1 localhost
  4.  
  5. # The following lines are desirable for IPv6 capable hosts
  6. ::1 ip6-localhost ip6-loopback
  7. fe00::0 ip6-localnet
  8. ff00::0 ip6-mcastprefix
  9. ff02::1 ip6-allnodes
  10. ff02::2 ip6-allrouters
  11.  
  12. 192.168.1.1 server.stagenfs.fr server
  13. 192.168.1.1 stagenfs.fr
  14.  
  15. 192.168.1.2 host1.stagenfs.fr host1
  16.  
  17. 192.168.1.100 host2.stagenfs.fr host2
  18.  
  19. # /etc/nsswitch.conf
  20. #
  21. # Example configuration of GNU Name Service Switch functionality.
  22. # If you have the `glibc-doc-reference' and `info' packages installed, try:
  23. # `info libc "Name Service Switch"' for information about this file.
  24.  
  25. passwd: compat systemd sss
  26. group: compat systemd sss
  27. shadow: compat sss
  28. gshadow: files
  29.  
  30. hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
  31. networks: files
  32.  
  33. protocols: db files
  34. services: db files sss
  35. ethers: db files
  36. rpc: db files
  37.  
  38. netgroup: nis sss
  39. sudoers: files sss
  40.  
  41. [General]
  42.  
  43. Verbosity = 5
  44. Pipefs-Directory = /run/rpc_pipefs
  45. # set your own domain here, if it differs from FQDN minus hostname
  46. Domain = stagenfs.fr
  47. Local-Realms = STAGENFS.FR
  48.  
  49. [Mapping]
  50.  
  51. Nobody-User = nobody
  52. Nobody-Group = nogroup
  53.  
  54. [Translation]
  55. #Method = nsswitch
  56. Method = static
  57. GSS-Methods = static
  58. #Method = umich_ldap,nsswitch
  59. #GSS-Methods = umich_ldap
  60. #Method = sss
  61.  
  62. [Static]
  63. #nfs/host1.stagenfs.fr@STAGENFS.FR = alice
  64. #nfs/host1@STAGENFS.FR = alice
  65. #nfs/host2@STAGENFS.FR = alice
  66. alice@STAGENFS.FR = alice
  67.  
  68. #[UMICH_SCHEMA]
  69.  
  70. #LDAP_server = server.stagenfs.fr
  71. #LDAP_base = ou=tl
  72. #LDAP_use_ssl = true
  73. #LDAP_ca_cert = /etc/ssl/certs/cacert.pem
  74. #NFSV4_person_objectclass = posixaccount
  75. #NFSV4_name_attr = uid
  76.  
  77. STATDOPTS=
  78.  
  79. # Do you want to start the gssd daemon? It is required for Kerberos mounts.
  80. NEED_GSSD="yes"
  81.  
  82. NEED_IDMAPD="yes"
  83.  
  84. # Number of servers to start up
  85. RPCNFSDCOUNT=8
  86.  
  87. # Runtime priority of server (see nice(1))
  88. RPCNFSDPRIORITY=0
  89.  
  90. RPCMOUNTDOPTS="--manage-gids"
  91.  
  92. # Do you want to start the svcgssd daemon? It is only required for Kerberos
  93. # exports. Valid alternatives are "yes" and "no"; the default is "no".
  94. NEED_SVCGSSD="yes"
  95.  
  96. # Options for rpc.svcgssd.
  97. RPCSVCGSSDOPTS=""
  98.  
  99. [sssd]
  100. debug_level = 0xFFF0
  101. config_file_version = 2
  102. services = nss,pam
  103. domains = STAGENFS.FR
  104.  
  105. [nss]
  106. debug_level = 0xFFF0
  107. filter_users = root
  108. filter_groups = root
  109.  
  110. [pam]
  111. debug_level = 10
  112. offline_credentials_expiration = 1
  113.  
  114. [domain/STAGENFS.FR]
  115. debug_level = 0xFFF0
  116. ldap_schema = rfc2307
  117. ldap_search_base = ou=tl
  118.  
  119. id_provider = ldap
  120. auth_provider = krb5
  121. chpass_provider = krb5
  122. access_provider = ldap
  123.  
  124. ldap_sasl_mech = GSSAPI
  125. ldap_krb5_keytab = /etc/krb5.keytab
  126.  
  127. ldap_access_order = filter
  128. ldap_access_filter = &(objectClass=posixAccount) (uidNumber=*)
  129.  
  130. ldap_uri = ldaps://server.stagenfs.fr
  131. ldap_referrals = False
  132. ldap_id_use_start_tls = False
  133. cache_credentials = False
  134. account_cache_expiration = 1
  135. enumerate = True
  136. ldap_default_bind_dn = cn=proxyuser,ou=private,ou=tl
  137. ldap_default_authtok_type = password
  138. ldap_default_authtok = ProxyUser123#
  139. ldap_tls_cacert = /etc/ssl/certs/cacert.pem
  140.  
  141. krb5_realm = STAGENFS.FR
  142. krb5_canonicalize = False
  143. krb5_server = server.stagenfs.fr
  144. krb5_kpasswd = server.stagenfs.fr
  145. krb5_ccachedir = /home/tl/%u
  146.  
  147. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=user
  148. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: calling nsswitch->uid_to_name
  149. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
  150. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: final return value is 0
  151. Aug 2 10:05:57 host2 rpc.idmapd[470]: Server : (user) id "0" -> name "root@stagenfs.fr"
  152. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=group
  153. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: calling nsswitch->gid_to_name
  154. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
  155. Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: final return value is 0
  156. Aug 2 10:05:57 host2 rpc.idmapd[470]: Server : (group) id "0" -> name "root@stagenfs.fr"
  157.  
  158. alice@host1:~$ sudo mount -vvv -t nfs4 -o proto=tcp,port=2049,sec=krb5p host2:/users /mnt
  159. mount.nfs4: timeout set for Thu Aug 2 10:07:58 2018
  160. mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.100,clientaddr=192.168.1.2'
  161.  
  162. alice@host1:~$ ldapwhoami
  163. SASL/GSSAPI authentication started
  164. SASL username: alice@STAGENFS.FR
  165. SASL SSF: 56
  166. SASL data security layer installed.
  167. dn:uid=alice,ou=people,ou=tl
  168.  
  169. alice@host1:~$ klist
  170. Ticket cache: FILE:/home/tl/alice/krb5_25002
  171. Default principal: alice@STAGENFS.FR
  172.  
  173. Valid starting Expires Service principal
  174. 02/08/2018 10:57:40 02/08/2018 20:57:40 krbtgt/STAGENFS.FR@STAGENFS.FR
  175. renew until 03/08/2018 10:57:40
  176. 02/08/2018 10:57:56 02/08/2018 20:57:40 ldap/server.stagenfs.fr@STAGENFS.FR
  177. renew until 03/08/2018 10:57:40
  178.  
  179. alice@host1:~$ klist -c /tmp/krb5ccmachine_STAGENFS.FR
  180. klist: Credentials cache permissions incorrect (filename: /tmp/krb5ccmachine_STAGENFS.FR)
  181. alice@host1:~$
  182.  
  183. root@host1:~# klist -c /tmp/krb5ccmachine_STAGENFS.FR
  184. Ticket cache: FILE:/tmp/krb5ccmachine_STAGENFS.FR
  185. Default principal: host/host1.stagenfs.fr@STAGENFS.FR
  186.  
  187. Valid starting Expires Service principal
  188. 02/08/2018 10:01:07 02/08/2018 20:01:07 krbtgt/STAGENFS.FR@STAGENFS.FR
  189. renew until 03/08/2018 10:01:07
  190. 02/08/2018 10:01:07 02/08/2018 20:01:07 nfs/host2.stagenfs.fr@STAGENFS.FR
  191. renew until 03/08/2018 10:01:07
  192.  
  193. root@host1:~# klist -k /etc/krb5.keytab
  194. Keytab name: FILE:/etc/krb5.keytab
  195. KVNO Principal
  196. ---- --------------------------------------------------------------------------
  197. 2 ldap/server.stagenfs.fr@STAGENFS.FR
  198. 2 ldap/server.stagenfs.fr@STAGENFS.FR
  199. 2 host/server.stagenfs.fr@STAGENFS.FR
  200. 2 host/server.stagenfs.fr@STAGENFS.FR
  201. 2 host/host1.stagenfs.fr@STAGENFS.FR
  202. 2 host/host1.stagenfs.fr@STAGENFS.FR
  203. 2 host/host2.stagenfs.fr@STAGENFS.FR
  204. 2 host/host2.stagenfs.fr@STAGENFS.FR
  205. 2 nfs/host2.stagenfs.fr@STAGENFS.FR
  206. 2 nfs/host2.stagenfs.fr@STAGENFS.FR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!