On 27 Jun 2014, at 22:22, Nordgren, Bryce L -FS <bnordg...@fs.fed.us> wrote:

>> Would the idmap sss module we have on the list pending review help here?
> My read of the design page suggests that the plugin is 66% of a solution. 
> There are three types of identities which need to be related:
> * local machine accounts/identities (meaningful to the filesystem)
> * security principals (Kerberos or pki)
> * NFSv4 identities (the u...@example.com string NFS sends over the wire)
> I see the first two represented on the design, but not the last. I suspect 
> that this means that the plugin regards security principals and NFSv4 
> identities as the same thing, which may mean it won't work for multiple 
> domains?  Let me turn the question on its head: according to the OP, the NFS 
> server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user 
> principals are from realm AD.EXAMPLE.ORG. Would your plugin work?

I haven’t tested this scenario yet, but I assume it would as long as sssd was 
able to resolve usern...@ad.example.org and there was a trust relationship 
between FREEIPA.EXAMPLE.ORG and AD.EXAMPLE.ORG. But again, this is something 
that needs more testing.

> What happens to your plugin if either the client or the server (but only one) 
> moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals 
> to NFS principals regardless of where it is running?
> I have a more basic confusion though: I can't tell from the design page 
> whether rpc.idmapd is using sssd to get ids or vice versa…

yes, rpc.idmapd is calling an sssd plugin to resolve identities. 

> Bryce
> This electronic message contains information generated by the USDA solely for 
> the intended recipients. Any unauthorized interception of this message or the 
> use or disclosure of the information it contains may violate the law and 
> subject the violator to civil or criminal penalties. If you believe you have 
> received this message in error, please notify the sender and delete the email 
> immediately.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to