Kerberized NFS and SSSD

Issues & Assistance
1

I’m coming from the Ubuntu world where upon login, I automatically have a Kerberos ticket, and autofs is able to mount my NFS share.

For further context, I used this guide.

I was unable to replicate this setup in CachyOS. Instead, after login, I must run

  • kinit
  • sudo systemctl start rpc-gssd
  • sudo systemctl restart autofs

to get things working.

I tried using sudo authselect select sssd –force as well as manual configuration of /etc/pam.d/system-auth, but had no success. Any tips on how to configure this correctly?

2

To autostart rpc-gssd service enable it

sudo systemctl enable rpc-gssd

I didn’t ever used kerberos but there is archwiki for it

3 
The unit files have no installation config (WantedBy=, RequiredBy=, UpheldBy=,
Also=, or Alias= settings in the [Install] section, and DefaultInstance= for
template units). This means they are not meant to be enabled or disabled using systemctl.
 
Possible reasons for having these kinds of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/, .requires/, or .upholds/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.
4

I got it working!

  • Installed pam-krb5
  • Created and enabled a custom authselect profile based on the sssd one and added pam_krb5.so to all four sections in system-auth
  • Modified sssd.service to run as root as per the wiki
  • Enabled nfs-client.target

/etc/pam.d/system-auth

# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth	    sufficient					 pam_krb5.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so
account     required					 pam_krb5.so minimum_uid=1000

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient					 pam_krb5.so minimum_uid=1000 try_first_pass use_authtok
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session	    optional					 pam_krb5.so minimum_uid=1000
session     optional                                     pam_sss.so

/etc/sssd/sssd.conf

[sssd]
services = pam
domains = thegalaxy

[domain/thegalaxy]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = earth.thegalaxy
krb5_kpasswd = earth.thegalaxy
krb5_realm = THEGALAXY
krb5_renewable_lifetime = 90d
krb5_renew_interval = 500

/etc/systemd/system/sssd.service.d/override.conf

[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=+-/bin/chown -f root:sssd /etc/sssd
ExecStartPre=+-/bin/chown -f root:sssd /etc/sssd/sssd.conf
ExecStartPre=+-/bin/chown -f -R root:sssd /etc/sssd/conf.d
ExecStartPre=+-/bin/chown -f -R root:sssd /etc/sssd/pki
ExecStartPre=+-/bin/sh -c "/bin/chown -f root:sssd /var/lib/sss/db/*.ldb"
ExecStartPre=+-/bin/sh -c "/bin/chown -f root:sssd /var/lib/sss/gpo_cache/*"
ExecStartPre=+-/bin/sh -c "/bin/chown -f root:sssd /var/log/sssd/*.log"
#ExecStart=/usr/bin/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
Restart=on-abnormal
CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH 
#SecureBits=noroot noroot-locked
User=root
Group=sssd
# If service configured to be run under "root", uncomment "SupplementaryGroups"
#SupplementaryGroups=sssd