svcgssd

[Max Matveev]

>>>>> "fredrik" == Fredrik Tolf <fredrik at dolda2000.com> writes:

 fredrik> On Wed, 2006-06-28 at 13:20 +0200, Fredrik Tolf wrote:
 >> I just grepped the nfs-utils-1.0.8 source tree for `kuserok', and found
 >> that it returned no matches. That leads me to wonder: how svcgssd
 >> actually authorize what principals are allowed for access to a certain
 >> UID?

 fredrik> I've been trying to debug this issue, and I've got a
 fredrik> question: Does svcgssd even know what UID or username a
 fredrik> certain context is initialized for, or does it only know the
 fredrik> GSS name of the user?
It only knows the name in the GSS context, not the name at the other
end or the name on the server end.

 fredrik> This is rather crucial, because I have a couple of cases where the
 fredrik> Kerberos principal name isn't directly mappable to the system's user
 fredrik> names.
This is where idmapd comes in and helps to map a
vasily.ivanovich at kremlin.ru to local uid 0.

max