Skip to content

Windows NFS

Jump to bottom
Charles Hedrick edited this page Feb 5, 2019 · 5 revisions

Mostly we followed normal instructions, but setting up UID/GID mapping was interesting.

  • In ksetup, need to set the flag saying that the realm supports canonicalization. Otherwise attempts to use GSSAPI with usrname lasso$ fail. MIT Kerberos only uses aliases if the request specifies canonicalization. By default Windows doesn't request canonicalization, so attempts to use lasso$ fail. You need to tell it to use canonicalization:
ksetup /setrealmflags CS.RUTGERS.EDU ncsupported
  • "nfsadmin mapping" lets you configure the actual mapping. It should enable AD style lookup, with a domain of krb1.cs.rutgers.edu. Eventually I'll test using cs.rutgers.edu instead.
nfsadmin mapping config addomain=krb1.cs.rutgers.edu
nfsadmin mapping config adlookup=yes

Use "nfsadmin mapping" to verify that it's set the way you want. Mapping server lookup should be off.

  • The IPA host entry has to add host$ as an alias:
ipa host-add-principal lasso.rutgers.edu 'lasso$'
  • The IPA schema needs to include the samaccountname attribute. The following adds it to our private objectclass. We're already set so all person entries get this.
dn: cn=schema
changetype: modify
add: attributetypes
AttributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE
-VALUE )
-
delete: objectclasses
objectClasses: ( 1.3.6.1.4.1.10962.2.4.3 NAME 'csRutgersEduPerson' SUP top AUX
 ILIARY MAY ( csRutgersEduCredservRule $ csRutgersEduCredservKeytab ) X-ORIGIN
  ( 'cs.rutgers.edu' 'user defined' ) )
-
add: objectclasses
objectClasses: ( 1.3.6.1.4.1.10962.2.4.3 NAME 'csRutgersEduPerson' SUP top AUX
 ILIARY MAY ( csRutgersEduCredservRule $ csRutgersEduCredservKeytab $ sAMAccountName) X-ORIGIN
  ( 'cs.rutgers.edu' 'user defined' ) )

See the main setup description for more information on this.

  • The user entry needs the samaccountname attribute with the same value as their uid:
ipa user-mod username --addattr=samaccountname=username

Obviously in the long run we'll set this up to be populated automatically.

The mount command is

mount -o sec=krb5 -o nolock \\host\x\y *

nolock is needed for the netapp. Not for Centos 7. * says to use the first free driver letter. Or you can specify a drive letter.

Testing should be done using the GUI file manager. For some failure modes everything works with the command line, but weird failures occur in the GUI. The two causes we know are (1) uid/gid not set correctly for the mount. (2) -o nlock missing for Netapp. Use "mount" with no arguments to list the mount parameters. Verify that uid and gid match the user whose Kerberos principal you are using. You can set uid/gid manually in the registry for a single-user machine, but there's no way to specify it in the mount command. For a multi-user machine that means you have to get the mapping to work.

Clone this wiki locally