0

I setup a NFS mount through the following guide with FreeIPA.

Short instructions on first post: Unable to mount kerberized nfs?

Long instructions: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/kerb-nfs

How do provide access on a per user or per group basis within freeIPA?

For example, I have two exports.

#/etc/exports
/data/group1   *(sec=krb5p,rw,no_root_squash)
/data/group2   *(sec=krb5p,rw,no_root_squash)

I have a "group1" and "group2" in freeIPA. I don't want allow group1 to be able to mount the group2 export. How would I accomplish this? Using Kerberos seems like its "all or nothing". I feel I'm missing something obvious.

Kevin Vasko
  • 185
  • 5
  • Ordinary Unix permissions? That's how everyone else does it. – Michael Hampton Oct 24 '18 at 21:40
  • @MichaelHampton do you mean ACLs? or just simple Read, Write, Execute permissions? – Kevin Vasko Oct 25 '18 at 14:35
  • There's read, write, execute and user and group ownership. That's all you need. Unless there's some special requirement you didn't mention. – Michael Hampton Oct 25 '18 at 14:36
  • @MichaelHampton I might be overthinking it. It seems that we have always ran into issues where someone writes a file from some application and then someone else cant access those files because they arent in the group since they aren't the owner of the file. Are there limitations on the number of groups that an account can be within? It seems that could be extremely annoying to handle manually. For example in windows for a share, you add the users you want to have access to the folder and then add the permissions they are allowed to have. Done. Adding users to groups to maintain might be hairy. – Kevin Vasko Oct 25 '18 at 16:52
  • I don't know of any limit to the number of groups a user can be in. There may be a theoretical limit. Of course you ought to be managing these in FreeIPA anyway, and there shouldn't be any UID/GID mismatches anywhere in the domain. – Michael Hampton Oct 25 '18 at 17:02
  • looks like a duplicate of https://serverfault.com/questions/936346/nfs-server-setting-permission-for-different-groups/936742#936742 – kofemann Oct 28 '18 at 14:59
  • @MichaelHampton how do you deal with people that need to be in multiple groups/projects to create folders with a default group within that project? For example, PersonA is in GroupA and GroupB, PersonB is in GroupB and GroupC. Then you have a folder for each group FolderA, FolderB, FolderC. Everyone in GroupA should be able to access and manipulate FolderA, everyone in GroupB should be able to manipulate FolderB content. However, if PersonA goes and creates a file in FolderB their primary group will be the group owner. Which could be GroupA. How do you handle that? – Kevin Vasko Nov 13 '18 at 19:48

0 Answers0