> On 25 Apr 2022, at 15:14, Alexander Bokovoy via FreeIPA-users > <[email protected]> wrote: > > > You need to instruct gssproxy to use a client keytab that contains > user's keys. > > You have to use user's keys in that keytab because you need to make sure > UID of the user has the same mapping between what the client runs and > what NFS server uses. For users it is done more or less automatically. > For services it is not because Kerberos services in IPA do not have > POSIX identities. > > https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#keytab-based-client-initiation > describes a general solution.
Thanks a lot for pointing this. But what about this https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#user-impersonation-via-constrained-delegation <https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#user-impersonation-via-constrained-delegation> ? Do I get it correctly that with user delegation so the user keytab or a valid user credential isn’t necessary? Will the user be able to access a mounted share without a ticket when user delegation is used? Best, Francis
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
