[Freeipa-users] IPA+AD trust and NFS nobody issue

[Simo Sorce]

On Fri, 2014-06-27 at 00:10 +0000, Nordgren, Bryce L -FS wrote:
> Also:
> http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04
> 
> Never became an RFC, but cites Simo's I-D on a Kerberos PAC.
> 
> I like the CITI approach better (also approach 2 of section 6 in the
> above I-D). I have no use for the groups defined in my active
> directory. Also, for the external collaboration case, my AD may not be
> accessible to an NFS server outside the firewall.
> 
> However, if (?) support for an NFSRemoteUser schema is lacking in
> FreeIPA, and if AD is accessible to both client and server, it seems
> that approach 3 of section 6 above would be the answer? Somehow
> configure idmap.conf (on NFS clients and servers) to directly query
> AD? Does that seem correct?

I honestly think (and gave this feedback to the authors in the past)
that trying to standardize on LDAP in an NFS document is wrong, it
should be implementation specific.

I think NFS should define roughly how a mapping service should behave,
but should not try to dictate how Directory services can/should be used,
the variation and modes of use is just too big in the real world, and
keeps changing. Moreover it is already incorrect to believe all
identities can be resolved by contacting a single LDAP server (AD
trusted forests as an example), and that the LDAP server can actually
fully resolve group memberships (again AD, and even FreeIPA when
trusting AD forests) without using custom operations possible only fully
correct when run by the KDC (or other RPC service, again see AD).

In the FreeIPA case for example we do not (normally) convey AD groups to
the service and instead map (some of) them into FreeIPA external groups,
a client that tries to query directly the AD service (assuming you have
direct access which is often not true) would not get cross-realm group
memberships as defined in the IPA server and would therefore cause
issues.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York