On Thu, 2014-06-26 at 23:21 +0000, Nordgren, Bryce L -FS wrote: > > The second @ is not provided by kerberos, it is rpcimapd making false > > assumptions, it does a getpwuid and gets back adt...@ad.example.org as > > the username, to which it decides to slap on the local REALM name with an @ > > sign in between. > > > > I think this is something that may be handled with imapd.conf configuration. > > Muchas gracias. This makes sense. > > Found an old presentation on the topic . Slide 15 is particularly > relevant. Slide 4, however, taught me something I didn't know: NFS > wants to deal with NFSv4 domain names (slide 3), which can be > different than GSS principal names (Kerberos principals). There is > only one NFS domain, but there can be multiple security realms and > multiple DNS domains (slide 2). > > The crux of this is on slide 14: "Need to add posixAccount with > GSSAuthName for UID/GID mapping of remote user". Is this another use > case for views?
Yes, it *may* be. > What I'm not quite clear on is the interaction between idmapd and ldap > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" > schema on the LDAP server? Is this schema something that FreeIPA would > have to support for NFS to work with cross-realm trusts? Or has the > landscape changed since this 2005 presentation? The landscape has changed and evolved, and I never really saw adoption of this CITI proposal myself. It may have happened somewhere I guess, but I do not think it is prevalent. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project