https://community.netapp.com/t5/ONTAP-Discussions/Integrating-Ontap-with-multidomain-FreeIPA-Redhat-IdM/m-p/139745#M30872 <P>I'm trying to integrate a FAS (Ontap 9) with our FreeIPA (aka RedHat IdM) installation, so that we can offer NFSv4+krb5 to Linux clients.&nbsp; This is proving to be a&nbsp; bit tricky.</P> <P>&nbsp;</P> <P>Background:</P> <P>&nbsp;</P> <P>The IPA kerberos realm is: IPA.LOCALDOMAIN (corresponding dns: ipa.localdomain)</P> <P>However, the user realms are: LOCALDOMAIN (dns: localdomain) and STUDENT.LOCALDOMAIN (dns: student.localdomain).</P> <P>&nbsp;</P> <P>(The users and group live in AD, but the IPA realm trusts the AD realms).</P> <P>&nbsp;</P> <P>Both the NFS client and the FAS are enrolled to IPA.LOCALDOMAIN and live under DNS domain ipa.localdomain.</P> <P>&nbsp;</P> <P>Note also that usernames on the clients are fully qualified - so my username is 'rns@localdomain' rather than just 'rns'.</P> <P>&nbsp;</P> <P>I can successfully mount a test volume on the Linux client with this:</P> <P>&nbsp;</P> <P># mount -o sec=krb5 netapp-nfs2.ipa.localdomain:/rnstest2 /mnt4</P> <P>#</P> <P>&nbsp;</P> <P>.. but when I try to access /mnt4 from a Linux client using my own identity (with a valid Kerberos ticket), I get permission denied:</P> <P>&nbsp;</P> <P>$ cd /mnt4<BR />-bash: cd: /mnt4: Permission denied</P> <P>&nbsp;</P> <P>The FAS event log shows:</P> <P>&nbsp;</P> <P>Time Node Severity Event<BR />------------------- ---------------- ------------- ---------------------------<BR />4/23/2018 12:15:38 netapp-poc01-01 ERROR Nblade.Nfsv4NsdbDomainMismatch: NFSv4 server 172.25.177.77 received domain string localdomain@ipa.localdomain from client 172.25.176.72, which does not match the '-v4-id-domain' value ipa.localdomain.<BR />4/23/2018 12:12:45 netapp-poc01-01 ERROR secd.nfsAuth.problem: vserver (netapp-nfs2) General NFS authorization problem. Error: RPC accept GSS token procedure failed<BR /> [ 0 ms] Using the NFS service credential for logical interface 1030 (SPN='nfs/netapp-nfs2.ipa.localdomain@IPA.LOCALDOMAIN') from cache.<BR /> [ 2] GSS_S_COMPLETE: client = 'rns@LOCALDOMAIN'<BR /> [ 2] Trying to map SPN 'rns@LOCALDOMAIN' to UNIX user 'rns' using implicit mapping<BR /> [ 5] Entry for user-name: rns not found in the current source: FILES. Ignoring and trying next available source<BR /> [ 6] Failed to initiate Kerberos authentication. Trying NTLM.<BR /> [ 6] Successfully connected to ip 172.25.176.51, port 389 using TCP</P> <P>&nbsp;</P> <P>The problem seems to be that Ontap is incorrectly parsing my identity as:</P> <P>&nbsp;</P> <P>&nbsp; user-name: rns</P> <P>&nbsp; domain string: localdomain@ipa.localdomain</P> <P>&nbsp;</P> <P>.. instead of:</P> <P>&nbsp;</P> <P>&nbsp; username: rns@localdomain</P> <P>&nbsp; domain string: ipa.localdomain</P> <P>&nbsp;</P> <P>Any idea how I can configure Ontap to parse this correctly?</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Robert.</P> Wed, 04 Jun 2025 13:47:43 GMT robertns 2025-06-04T13:47:43Z https://community.netapp.com/t5/ONTAP-Discussions/Integrating-Ontap-with-multidomain-FreeIPA-Redhat-IdM/m-p/139745#M30872 <P>I'm trying to integrate a FAS (Ontap 9) with our FreeIPA (aka RedHat IdM) installation, so that we can offer NFSv4+krb5 to Linux clients.&nbsp; This is proving to be a&nbsp; bit tricky.</P> <P>&nbsp;</P> <P>Background:</P> <P>&nbsp;</P> <P>The IPA kerberos realm is: IPA.LOCALDOMAIN (corresponding dns: ipa.localdomain)</P> <P>However, the user realms are: LOCALDOMAIN (dns: localdomain) and STUDENT.LOCALDOMAIN (dns: student.localdomain).</P> <P>&nbsp;</P> <P>(The users and group live in AD, but the IPA realm trusts the AD realms).</P> <P>&nbsp;</P> <P>Both the NFS client and the FAS are enrolled to IPA.LOCALDOMAIN and live under DNS domain ipa.localdomain.</P> <P>&nbsp;</P> <P>Note also that usernames on the clients are fully qualified - so my username is 'rns@localdomain' rather than just 'rns'.</P> <P>&nbsp;</P> <P>I can successfully mount a test volume on the Linux client with this:</P> <P>&nbsp;</P> <P># mount -o sec=krb5 netapp-nfs2.ipa.localdomain:/rnstest2 /mnt4</P> <P>#</P> <P>&nbsp;</P> <P>.. but when I try to access /mnt4 from a Linux client using my own identity (with a valid Kerberos ticket), I get permission denied:</P> <P>&nbsp;</P> <P>$ cd /mnt4<BR />-bash: cd: /mnt4: Permission denied</P> <P>&nbsp;</P> <P>The FAS event log shows:</P> <P>&nbsp;</P> <P>Time Node Severity Event<BR />------------------- ---------------- ------------- ---------------------------<BR />4/23/2018 12:15:38 netapp-poc01-01 ERROR Nblade.Nfsv4NsdbDomainMismatch: NFSv4 server 172.25.177.77 received domain string localdomain@ipa.localdomain from client 172.25.176.72, which does not match the '-v4-id-domain' value ipa.localdomain.<BR />4/23/2018 12:12:45 netapp-poc01-01 ERROR secd.nfsAuth.problem: vserver (netapp-nfs2) General NFS authorization problem. Error: RPC accept GSS token procedure failed<BR /> [ 0 ms] Using the NFS service credential for logical interface 1030 (SPN='nfs/netapp-nfs2.ipa.localdomain@IPA.LOCALDOMAIN') from cache.<BR /> [ 2] GSS_S_COMPLETE: client = 'rns@LOCALDOMAIN'<BR /> [ 2] Trying to map SPN 'rns@LOCALDOMAIN' to UNIX user 'rns' using implicit mapping<BR /> [ 5] Entry for user-name: rns not found in the current source: FILES. Ignoring and trying next available source<BR /> [ 6] Failed to initiate Kerberos authentication. Trying NTLM.<BR /> [ 6] Successfully connected to ip 172.25.176.51, port 389 using TCP</P> <P>&nbsp;</P> <P>The problem seems to be that Ontap is incorrectly parsing my identity as:</P> <P>&nbsp;</P> <P>&nbsp; user-name: rns</P> <P>&nbsp; domain string: localdomain@ipa.localdomain</P> <P>&nbsp;</P> <P>.. instead of:</P> <P>&nbsp;</P> <P>&nbsp; username: rns@localdomain</P> <P>&nbsp; domain string: ipa.localdomain</P> <P>&nbsp;</P> <P>Any idea how I can configure Ontap to parse this correctly?</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Robert.</P> Wed, 04 Jun 2025 13:47:43 GMT https://community.netapp.com/t5/ONTAP-Discussions/Integrating-Ontap-with-multidomain-FreeIPA-Redhat-IdM/m-p/139745#M30872 robertns 2025-06-04T13:47:43Z