svcgssd

[Kevin Coffman]

On 7/3/06, Fredrik Tolf <fredrik at dolda2000.com> wrote:
> On Mon, 2006-07-03 at 14:54 +1000, Max Matveev wrote:
>
> >  fredrik> This is rather crucial, because I have a couple of cases where the
> >  fredrik> Kerberos principal name isn't directly mappable to the system's user
> >  fredrik> names.
> > This is where idmapd comes in and helps to map a
> > vasily.ivanovich at kremlin.ru to local uid 0.
>
> Now correct me if I'm wrong, but idmapd never knows the GSS name of a
> user, right?

svcgssd uses the same library, libnfsidmap, that idmapd uses to map
the GSS name to a local UID/GID.  So no, idmapd doesn't deal with GSS
names, but svcgssd does.

There are two modes that can be used to do name/id mapping.  The
default is "nss", using whatever method is configured in
/etc/nsswitch.conf.  This basically assumes that you can strip off the
@REALM part of a GSS auth name and get the local name.  If you use the
"umich_ldap" method, user entries can (must) have a GSSAuthName LDAP
attribute to enable mapping directly from a GSS auth name to a local
name (uid) and uidnumber/gidnumber.

K.C.