NFS4 w/Kerberos does nt map Groups properly (?)

[Kevin Coffman]

On Dec 13, 2007 8:04 AM, Jan Sanders <jsanders at techfak.uni-bielefeld.de> wrote:
> Hi,
>
> I run GNU/Debian Linux "Lenny", which has nfs-utils 1.1
>
> My testuser is nfstest, who is known on the server machine as well as on
> the client machine (both use YP). On both machines nfstest has the same
> UID. Also the group the nfstest user is a part of is known on the server
> amchine and on the client machine. He is only a member of one group. The
> groupname and GID are the same on the server and on the client.
>
> If now I use Kerberos to authenticate I can take any user on the client
> machine and get access to nfstest files on the server machine, as long
> as I have the nfstest at KERBEROS.REALM ticket.
>
> An ls shows the files that should are belonging to the user nfstest but
> unfortunately the belong to group nobody.
> I believe that group access should be governed by the server, as the
> server knows which groups the user belongs to.
>
> Am I missing something?
>
> cheers
>
> Jan Sanders

When using Kerberos, the authenticated principal name,
"nfstest at KERBEROS.REALM", must be mapped on the server to a local
user.  When using the default nsswitch mapping, the @KERBEROS.REALM
should be stripped and nfstest should be mapped the same as w/o
Kerberos.

What does your /etc/idmap.conf look like?

If you are using nsswitch, what does /etc/nsswitch.conf look like?

Can you get output from running svcgssd with "-vv" when the user's
context is created  with the server?

K.C.