On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote:
gssproxy dos not use libidmapd because it is not threads safe (among
other issues), it is also not needed, because you can control mapping
in auth_to_local in krb5.conf and that place is the correct place to
deal with identity mapping when kerberos is involved.



Not sure if I'm doing this right, but that doesn't work for me, either:

[realms]
  EXAMPLE.NET = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    auth_to_local = RULE:[2:$1](daemon)s/^.*$/daemon/
    auto_to_local = DEFAULT
  }


Client's default principal is daemon/application-2017111901.example....@example.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to