Should kerberos user principals with instance work?
Kevin Coffman
kwc at citi.umich.edu
Fri Oct 6 16:22:12 EDT 2006
On 10/6/06, Christian G. Warden <cwarden at xerus.org> wrote:
> On Fri, Oct 06, 2006 at 03:34:58PM -0400, Kevin Coffman wrote:
> > On 10/6/06, Christian G. Warden <cwarden at xerus.org> wrote:
> > >I'm having trouble accessing files on an nfs4 (or nfs3) volume mounted with
> > >sec=krb5 when using a kerberos principal which contains a non-null
> > >instance.
> > >Should principal sample/test at EXAMPLE.COM be able to access files owned
> > >by sample?
> > >
> > >Thanks,
> > >Christian
> >
> > I think this should work as long as your idmapping knows how to map
> > this name. If you are using the default nss mapping, then it will be
> > trying to map "sample/test" to a UID and will probably fail and wind
> > up mapping to nfsnobody. (Assuming a Linux server.)
>
> OK. I assume there's no support for rewriting names in rpc.idmapd. Any
> idea whether it's possible to do so within nss_ldap or openldap?
I don't know the answer to that. We use our "umich_ldap" idmapping
and are able to map the "GSSAuthName" to the correct local account
(uid and groups).
K.C.
More information about the NFSv4
mailing list