Per User Authentication for Per User Authorization
Kevin Coffman
kwc at citi.umich.edu
Wed Dec 5 10:00:59 EST 2007
On Dec 5, 2007 5:33 AM, Jan Sanders <jsanders at techfak.uni-bielefeld.de> wrote:
> Hello,
>
> I would like to authenticate users of my NFSv4 server users using
> Kerberos. The rpc.gssd -n option makes it possible to use Kerberos
> credentials other than machine (or host) credentials.
>
> Is there a way to tell NFSv4: Kerberos principal X may mount the
> directory Y using NFSv4. But Kerberos principal Z may not.
>
> TIA
>
> Jan Sanders
As of now, I do not know of a way.
We are working on changes to libnfs4idmap to use plugins. I think a
plugin could be written to do this. (Return a "rejected" return code
for a given principal name when trying to map it to local uid/gid.)
However, the interface currently doesn't get the export information,
so doing the check by export would require some extra work. I'm not
sure if the export information is even available for the upcall.
K.C.
More information about the NFSv4
mailing list