On 27 Jun 2014, at 22:22, Nordgren, Bryce L -FS <bnordg...@fs.fed.us> wrote:
>> Would the idmap sss module we have on the list pending review help here?
> My read of the design page suggests that the plugin is 66% of a solution.
> There are three types of identities which need to be related:
> * local machine accounts/identities (meaningful to the filesystem)
> * security principals (Kerberos or pki)
> * NFSv4 identities (the u...@example.com string NFS sends over the wire)
> I see the first two represented on the design, but not the last. I suspect
> that this means that the plugin regards security principals and NFSv4
> identities as the same thing, which may mean it won't work for multiple
> domains? Let me turn the question on its head: according to the OP, the NFS
> server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user
> principals are from realm AD.EXAMPLE.ORG. Would your plugin work?
I haven’t tested this scenario yet, but I assume it would as long as sssd was
able to resolve usern...@ad.example.org and there was a trust relationship
between FREEIPA.EXAMPLE.ORG and AD.EXAMPLE.ORG. But again, this is something
that needs more testing.
> What happens to your plugin if either the client or the server (but only one)
> moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals
> to NFS principals regardless of where it is running?
> I have a more basic confusion though: I can't tell from the design page
> whether rpc.idmapd is using sssd to get ids or vice versa…
yes, rpc.idmapd is calling an sssd plugin to resolve identities.
> This electronic message contains information generated by the USDA solely for
> the intended recipients. Any unauthorized interception of this message or the
> use or disclosure of the information it contains may violate the law and
> subject the violator to civil or criminal penalties. If you believe you have
> received this message in error, please notify the sender and delete the email
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project