idmap translates user ids to nobody if gss/krb5 is used
Pedro Celestino dos Reis Rodrigues
reis at fc.ul.pt
Fri Mar 2 07:01:03 EST 2007
Em Quinta, 1 de Março de 2007 16:00, Kevin Coffman escreveu:
> On 2/28/07, Pedro Celestino dos Reis Rodrigues <reis at fc.ul.pt> wrote:
> > Hello
> >
> > I am a newbie to kerberos, so my questions may be quite obvious.
> > I have a nfsv4 server working smoothly, with ldap for user
> > identification/authetication, since a few months and now I am trying to
> > add gss/krb5 authentication for the mounts.
> > After some search I managed to have the kerberos database running and the
> >
> > mount -t nfs4 -o sec=krb5 s1.liqc.pt:/ /mnt
> >
> > was successful.
> > The problem is that with -o sec=krb5 option, user ids are being mapped
> > to nobody.
> >
> > If mounted without -o sec=krb5 option, everyrhing works fine
> >
> > Any suggestion is very welcome!
> >
> > The syslog output is
> >
> > Feb 28 11:43:42 s1 rpc.svcgssd[4516]: sname = reis/s1.liqc.pt at LIQC.PT
>
> You've made much progress!
>
> When using auth_sys, the name presented to the server would be
> "reis@<nfsv4.domain>". Which is probably mapped to user reis's UID in
> LDAP. When using auth_gss and Kerberos, the "authenticated name" is
> as shown above (name at REALM). See
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
> for information about how we currently map an "authenticated name", or
> GSSAuthName, to the appropriate UID.
>
Thank you very much for your help.
Now it is working ok. Using a user principal user at REALM instead of
user/machine at REALM makes the trick.
Thanks again
Pedro
--
_____________________________________________________________
Pedro Celestino dos Reis Rodrigues
Departamento de Química e Bioquímica
Faculdade de Ciências da Universidade de Lisboa
Tel: 21750000-28619
More information about the NFSv4
mailing list