Never became an RFC, but cites Simo's I-D on a Kerberos PAC.

I like the CITI approach better (also approach 2 of section 6 in the above 
I-D). I have no use for the groups defined in my active directory. Also, for 
the external collaboration case, my AD may not be accessible to an NFS server 
outside the firewall.

However, if (?) support for an NFSRemoteUser schema is lacking in FreeIPA, and 
if AD is accessible to both client and server, it seems that approach 3 of 
section 6 above would be the answer? Somehow configure idmap.conf (on NFS 
clients and servers) to directly query AD? Does that seem correct?


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to