I'm trying to integrate a FAS (Ontap 9) with our FreeIPA (aka RedHat IdM) installation, so that we can offer NFSv4+krb5 to Linux clients. This is proving to be a bit tricky.
The IPA kerberos realm is: IPA.LOCALDOMAIN (corresponding dns: ipa.localdomain)
However, the user realms are: LOCALDOMAIN (dns: localdomain) and STUDENT.LOCALDOMAIN (dns: student.localdomain).
(The users and group live in AD, but the IPA realm trusts the AD realms).
Both the NFS client and the FAS are enrolled to IPA.LOCALDOMAIN and live under DNS domain ipa.localdomain.
Note also that usernames on the clients are fully qualified - so my username is 'rns@localdomain' rather than just 'rns'.
I can successfully mount a test volume on the Linux client with this:
# mount -o sec=krb5 netapp-nfs2.ipa.localdomain:/rnstest2 /mnt4
.. but when I try to access /mnt4 from a Linux client using my own identity (with a valid Kerberos ticket), I get permission denied:
$ cd /mnt4 -bash: cd: /mnt4: Permission denied
The FAS event log shows:
Time Node Severity Event ------------------- ---------------- ------------- --------------------------- 4/23/2018 12:15:38 netapp-poc01-01 ERROR Nblade.Nfsv4NsdbDomainMismatch: NFSv4 server 172.25.177.77 received domain string email@example.com from client 172.25.176.72, which does not match the '-v4-id-domain' value ipa.localdomain. 4/23/2018 12:12:45 netapp-poc01-01 ERROR secd.nfsAuth.problem: vserver (netapp-nfs2) General NFS authorization problem. Error: RPC accept GSS token procedure failed [ 0 ms] Using the NFS service credential for logical interface 1030 (SPN='nfs/netapp-nfs2.ipa.localdomain@IPA.LOCALDOMAIN') from cache. [ 2] GSS_S_COMPLETE: client = 'rns@LOCALDOMAIN' [ 2] Trying to map SPN 'rns@LOCALDOMAIN' to UNIX user 'rns' using implicit mapping [ 5] Entry for user-name: rns not found in the current source: FILES. Ignoring and trying next available source [ 6] Failed to initiate Kerberos authentication. Trying NTLM. [ 6] Successfully connected to ip 172.25.176.51, port 389 using TCP
The problem seems to be that Ontap is incorrectly parsing my identity as:
domain string: firstname.lastname@example.org
.. instead of:
domain string: ipa.localdomain
Any idea how I can configure Ontap to parse this correctly?