idmap translates user ids to nobody if gss/krb5 is used
Kevin Coffman
kwc at citi.umich.edu
Thu Mar 1 11:00:30 EST 2007
On 2/28/07, Pedro Celestino dos Reis Rodrigues <reis at fc.ul.pt> wrote:
> Hello
>
> I am a newbie to kerberos, so my questions may be quite obvious.
> I have a nfsv4 server working smoothly, with ldap for user
> identification/authetication, since a few months and now I am trying to add
> gss/krb5 authentication for the mounts.
> After some search I managed to have the kerberos database running and the
>
> mount -t nfs4 -o sec=krb5 s1.liqc.pt:/ /mnt
>
> was successful.
> The problem is that with -o sec=krb5 option, user ids are being mapped to
> nobody.
>
> If mounted without -o sec=krb5 option, everyrhing works fine
>
> Any suggestion is very welcome!
>
> The syslog output is
>
> Feb 28 11:43:42 s1 rpc.svcgssd[4516]: sname = reis/s1.liqc.pt at LIQC.PT
You've made much progress!
When using auth_sys, the name presented to the server would be
"reis@<nfsv4.domain>". Which is probably mapped to user reis's UID in
LDAP. When using auth_gss and Kerberos, the "authenticated name" is
as shown above (name at REALM). See
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
for information about how we currently map an "authenticated name", or
GSSAuthName, to the appropriate UID.
> Another, presumably dumb question.
>
> From everithing I have read it seems that it is necessary to have a kerberos
> pricipal for every user that accesses the nfs share if gss/krb5 is being
> used. This is confusing me because it implies two, apparently redundant, user
> databases since I am using ldap.
> Is this true, or a single user database can be used?
Well they are two separate databases, but not necessarily redundant.
Kerberos is used for Authentication and its DB is tailored to that
function. An LDAP accessible database usually has other information.
Microsoft's Active Directory combines the two (and more). MIT's 1.6
release of Kerberos allows the Kerberos database information to be
housed in a LDAP database. So if you want to combine them, it is
possible. (I think Heimdal has had this option for a while.)
I think there are differing opinions on whether the convenience is worth it.
K.C.
More information about the NFSv4
mailing list