> Would the idmap sss module we have on the list pending review help here?

My read of the design page suggests that the plugin is 66% of a solution. There 
are three types of identities which need to be related:

* local machine accounts/identities (meaningful to the filesystem)
* security principals (Kerberos or pki)
* NFSv4 identities (the u...@example.com string NFS sends over the wire)

I see the first two represented on the design, but not the last. I suspect that 
this means that the plugin regards security principals and NFSv4 identities as 
the same thing, which may mean it won't work for multiple domains?  Let me turn 
the question on its head: according to the OP, the NFS server and client is in 
Kerberos realm FREEIPA.EXAMPLE.ORG, and the user principals are from realm 
AD.EXAMPLE.ORG. Would your plugin work? What happens to your plugin if either 
the client or the server (but only one) moves to AD.EXAMPLE.ORG? Can the plugin 
consistently map security principals to NFS principals regardless of where it 
is running?

I have a more basic confusion though: I can't tell from the design page whether 
rpc.idmapd is using sssd to get ids or vice versa...


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to