svcgssd
Fredrik Tolf
fredrik at dolda2000.com
Mon Jul 3 13:10:05 EDT 2006
On Mon, 2006-07-03 at 12:19 -0400, J. Bruce Fields wrote:
> On Mon, Jul 03, 2006 at 05:51:25PM +0200, Fredrik Tolf wrote:
> > 1. There already is a way of authorizing krb principals by way of the
> > ~/.k5login file, so I don't think that it should have to be duplicated.
> > Would it be very hard to make the kernel pass the actual username/UID to
> > svcgssd?
>
> The kernel doesn't know about .k5login; it doesn't really know how to
> authenticate principals at all, in fact. It justs passes those initial context
> establishment patches up to svcgssd, and it's svcgssd that tells the kernel
> which uid (and gid's) to associate with an incoming context.
There's one thing that I've just assumed so far, but from what you
write, I'm not so sure if it's correct anymore. What I've assumed is
that the kernel knows the UID or NFSv4 username -- is that correct? If
it is not, then what is the purpose if idmapd? Isn't its purpose to map
UIDs to usernames (and vice versa) so that a username can be sent over
NFS?
Or is the kernel supposed to just be able to know the login user from
the GSS name? In that case, it almost sounds like a bug in the
protocol...
Fredrik Tolf
More information about the NFSv4
mailing list