svcgssd
Trond Myklebust
trond.myklebust at fys.uio.no
Mon Jul 3 16:09:33 EDT 2006
On Mon, 2006-07-03 at 20:21 +0200, Fredrik Tolf wrote:
> I see. There was the source of my confusion. I was under the impression that an NFSv4
> name was passed along as well when the context was created. As I wrote in another mail,
> the lack thereof is, at least to me, indicative of a bug in the protocol... every other
> Kerberos-authenticated protocol that I know of (Krb5 GSSAPI over SASL, krexec, ktelnet,
> ssh with gssapi-with-mic, etc.) passes a local (or semi-local, such as an NFSv4 name)
> name before or along with the creation of a Kerberos context. Kerberos itself
> essentially only uses krb5_aname_to_localname when authorizing a user who doesn't have
> a ~/.k5login file.
The NFS server is what decides which identity to map the user to. It is
not the client, nor is it the kerberos server. What would be the value
of having the client pass a username to the server in such a model?
AFAICS, the only place where it makes sense for the client to pass a
username/groupname is in cases where a user operation forces the server
to choose one particular username/groupname out of the many that it may
have mapped the user to.
Cheers,
Trond
More information about the NFSv4
mailing list