NFSv4 in cross domain environment
Markus Moeller
huaraz at moeller.plus.com
Wed Jan 9 09:46:53 EST 2008
"Kevin Coffman" <kwc at citi.umich.edu> wrote in message
news:4d569c330801040740i24652133p37e6b557a41a5c53 at mail.gmail.com...
> On Jan 4, 2008 10:36 AM, Kevin Coffman <kwc at citi.umich.edu> wrote:
>> On Jan 3, 2008 3:07 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
>> > "Kevin Coffman" <kwc at citi.umich.edu> wrote in message
>> > news:4d569c330801030914s10bd3a6axd02eb50170c3225d at mail.gmail.com...
>> >
>> > > On Jan 3, 2008 10:29 AM, Markus Moeller <huaraz at moeller.plus.com>
>> > > wrote:
>> > >> Hi,
>> > >>
>> > >> I am new to nfsv4 and have a setup with two Kerberos domains which
>> > >> have
>> > >> full
>> > >> trust. Is it possible to mount directories cross domains ?
>> > >>
>> > >> Thank you
>> > >> Markus
>> > >
>> > > Yes, it should work.
>> > > This -- http://www.citi.umich.edu/projects/nfsv4/crossrealm/ -- may
>> > > (or may not) be helpful.
>> >
>> > Is the nsswitch mapping standard on all platforms/linux distros ? I am
>> > using OpenSuSE 10.3.
>> >
>> > TBH I was hoping that my krb5.conf could do the mapping through
>> > auth_to_local.
>> >
>> > Thank you
>> > Markus
>>
>> nsswitch mapping in cross-realm environments is only safe if you know
>> that jones at REALM.A and jones at REALM.B are both user 'jones' locally.
>> That is why we did the umich_ldap mapping. I'll have to look further
>> into auth_to_local. That may be what Solaris uses, but I am not sure.
I think you can map jones at REALM.A to jones-a and jones at REAM.B to jones-b if
required.
>
> BTW, another reason we did the umich_ldap mapping is because
> auth_to_local is a Kerberos-only solution, not a generic gss solution.
But I would think this is a good solution for GSS/krb5 wouldn't it ?
Markus
More information about the NFSv4
mailing list