FreeIPA autofs integration

Hi,

I already read through pretty much everything I could find but was unfortunately only partially successful.

I see great potential in using NixOS for workstation deployments at work, which is exactly where I want to use it. Therefore I want to join the machines into our FreeIPA domain and have them use userhomes via NFS. So far I have been successful in joining the dev machine in the domain, however I was unable to find a way to include the autofs configuration that other systems get from the FreeIPA server.

I have taken a look at the ipa nix module but there was no configuration option for that so I fear I have to get this running on my own, which in turn will probably not make use of the centralized configuration and instead be done in nix.

What I’ve got so far is this module(?):

{ config, lib, pkgs, ... }:

let
  # Won't this error out if ipa is not configured, which is only checked afterwards? Investigate another day since all machines will be joined anyways
  domain = config.security.ipa.domain;
in
{
  config = lib.mkIf config.security.ipa.enable {
    services.cachefilesd.enable = true; # Hopefully speeds up NFS
    fileSystems."/mnt/home" = {
      device = "nfs.${domain}:/srv/nfs/export/homes";
      fsType = "nfs";
      options = [ "user" "x-systemd.automount" "noauto" "x-systemd.idle-timeout=60" "x-systemd.device-timeout=5s" "x-systemd.mount-timeout=5s" "sec=krb5p" ];
    };
    fileSystems."/mnt/shared" = {
      device = "nfs.${domain}:/srv/nfs/export/shared";
      fsType = "nfs";
      options = [ "user" "x-systemd.automount" "noauto" "x-systemd.idle-timeout=60" "x-systemd.device-timeout=5s" "x-systemd.mount-timeout=5s" "sec=krb5p" ];
    };
  };
}

It allows for my users to get their userhome and should provide a shared folder. This is where I am currently stuck (and very confused about the behavior).

Access control seems to work fine for whatever reason. When I login as one of my IPA users, the home is mounted and accessed. To be specific, to my understanding, /mnt/home is mounted and the user blindly but successfully cds into their home at /mnt/home/${user}. So far so good. This looks reasonably secure. No user can ls in /mnt/home and every user can only access their own directory. Unfortunately the same cannot be said for the shared directory. No matter which user I try to use, I cannot access it.

During troubleshooting I noticed something else, which is where my confusion comes from: When logging in, my users acquire their kerberos ticket granting ticket but they never request an NFS ticket so how in this world is the home share even authenticated? It is set to use krb5p which to my understanding means that the connection is both authenticated and encrypted using kerberos.

That likely also explains why I cannot access the shared directory. Whichever ticket is used here, likely is not part of the group that has access to the share.

Now I am left wondering:

  1. What do I need to change so the user is the one mounting and authenticating the share?
  2. What is currently happening instead?
  3. Is there an option to use the IPA provided automount settings instead so everything stays in one place that I missed?

Edit: I actually misconfigured the shared directory to only grant user but not group permissions even though the correct group owned it so I can now access it, however this still leaves me with the same three questions.

Hi, I am in a similar situation. I got FreeIPA working, but I need my automounts.

When I run ipa-client-automount --location=$LOCATION it errors out:

Traceback (most recent call last):
  File "/nix/store/w19615qffdyv8nx1vrn1ckcf9q67ln8h-freeipa-4.12.3/bin/.ipa-client-automount-wrapped", line 25, in <module>
    from ipaclient.install.ipa_client_automount import main
  File "/nix/store/w19615qffdyv8nx1vrn1ckcf9q67ln8h-freeipa-4.12.3/lib/python3.12/site-packages/ipaclient/install/ipa_client_automount.py", line 33, in <module>
    import SSSDConfig
ModuleNotFoundError: No module named 'SSSDConfig'

Have you experienced this problem?

I have tried to perform this manually adding a few lines to /etc/nsswitch.conf and /etc/sssd/sssd.conf by modifying the modules in nixpkgs, but it seems autofs doesn’t look for the mounts.

I basically did all the equivalent steps of this guide but for NixOS: 13.2.7. Configuring Services: autofs | Red Hat Product Documentation

In theory autofs should look for the property automount: sss in /etc/nsswitch.conf, which I populated.
https://docs.pagure.org/sssd.sssd/design_pages/autofs_integration.html#autofs-lookup-modules

Module modifications:
ipa.nix:

229a230
>       autofs_provider = ipa
233a235
>       ipa_automount_location = default
247c249
<       services = nss, sudo, pam, ssh, ifp
---
>       services = nss, sudo, pam, ssh, ifp, autofs

nsswitch.nix

28a29,40
>       automount = lib.mkOption {
>         type = lib.types.listOf lib.types.str;
>         description = ''
>           List of automount entries to configure in {file}`/etc/nsswitch.conf`.
>
>           Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
>
>           This option only takes effect if nscd is enabled.
>         '';
>         default = [ ];
>       };
>
128a141
>       automount: ${lib.concatStringsSep " " config.system.nssDatabases.automount}

And set system.nssDatabases.automount = [ "sss" ];

Sorry for the long silence. Had to put the project on ice and will likely have to do so again. Sounds like a solid approach though. Does it work?

Yes, I managed to get it working. I just needed to add +auto.master to the autofs config.

Here are the steps I followed freeipa: ipa-client-automount fails with No module named 'SSSDConfig' · Issue #380853 · NixOS/nixpkgs · GitHub.

1 Like