Also: http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04
Never became an RFC, but cites Simo's I-D on a Kerberos PAC. I like the CITI approach better (also approach 2 of section 6 in the above I-D). I have no use for the groups defined in my active directory. Also, for the external collaboration case, my AD may not be accessible to an NFS server outside the firewall. However, if (?) support for an NFSRemoteUser schema is lacking in FreeIPA, and if AD is accessible to both client and server, it seems that approach 3 of section 6 above would be the answer? Somehow configure idmap.conf (on NFS clients and servers) to directly query AD? Does that seem correct? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project