FreeIPA autofs integration

Hi,

I already read through pretty much everything I could find but was unfortunately only partially successful.

I see great potential in using NixOS for workstation deployments at work, which is exactly where I want to use it. Therefore I want to join the machines into our FreeIPA domain and have them use userhomes via NFS. So far I have been successful in joining the dev machine in the domain, however I was unable to find a way to include the autofs configuration that other systems get from the FreeIPA server.

I have taken a look at the ipa nix module but there was no configuration option for that so I fear I have to get this running on my own, which in turn will probably not make use of the centralized configuration and instead be done in nix.

What I’ve got so far is this module(?):

{ config, lib, pkgs, ... }:

let
  # Won't this error out if ipa is not configured, which is only checked afterwards? Investigate another day since all machines will be joined anyways
  domain = config.security.ipa.domain;
in
{
  config = lib.mkIf config.security.ipa.enable {
    services.cachefilesd.enable = true; # Hopefully speeds up NFS
    fileSystems."/mnt/home" = {
      device = "nfs.${domain}:/srv/nfs/export/homes";
      fsType = "nfs";
      options = [ "user" "x-systemd.automount" "noauto" "x-systemd.idle-timeout=60" "x-systemd.device-timeout=5s" "x-systemd.mount-timeout=5s" "sec=krb5p" ];
    };
    fileSystems."/mnt/shared" = {
      device = "nfs.${domain}:/srv/nfs/export/shared";
      fsType = "nfs";
      options = [ "user" "x-systemd.automount" "noauto" "x-systemd.idle-timeout=60" "x-systemd.device-timeout=5s" "x-systemd.mount-timeout=5s" "sec=krb5p" ];
    };
  };
}

It allows for my users to get their userhome and should provide a shared folder. This is where I am currently stuck (and very confused about the behavior).

Access control seems to work fine for whatever reason. When I login as one of my IPA users, the home is mounted and accessed. To be specific, to my understanding, /mnt/home is mounted and the user blindly but successfully cds into their home at /mnt/home/${user}. So far so good. This looks reasonably secure. No user can ls in /mnt/home and every user can only access their own directory. Unfortunately the same cannot be said for the shared directory. No matter which user I try to use, I cannot access it.

During troubleshooting I noticed something else, which is where my confusion comes from: When logging in, my users acquire their kerberos ticket granting ticket but they never request an NFS ticket so how in this world is the home share even authenticated? It is set to use krb5p which to my understanding means that the connection is both authenticated and encrypted using kerberos.

That likely also explains why I cannot access the shared directory. Whichever ticket is used here, likely is not part of the group that has access to the share.

Now I am left wondering:

  1. What do I need to change so the user is the one mounting and authenticating the share?
  2. What is currently happening instead?
  3. Is there an option to use the IPA provided automount settings instead so everything stays in one place that I missed?

Edit: I actually misconfigured the shared directory to only grant user but not group permissions even though the correct group owned it so I can now access it, however this still leaves me with the same three questions.