On 27 Jun 2014, at 22:22, Nordgren, Bryce L -FS <[email protected]> wrote:
> >> Would the idmap sss module we have on the list pending review help here? > > My read of the design page suggests that the plugin is 66% of a solution. > There are three types of identities which need to be related: > > * local machine accounts/identities (meaningful to the filesystem) > * security principals (Kerberos or pki) > * NFSv4 identities (the [email protected] string NFS sends over the wire) > > I see the first two represented on the design, but not the last. I suspect > that this means that the plugin regards security principals and NFSv4 > identities as the same thing, which may mean it won't work for multiple > domains? Let me turn the question on its head: according to the OP, the NFS > server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user > principals are from realm AD.EXAMPLE.ORG. Would your plugin work? I haven’t tested this scenario yet, but I assume it would as long as sssd was able to resolve [email protected] and there was a trust relationship between FREEIPA.EXAMPLE.ORG and AD.EXAMPLE.ORG. But again, this is something that needs more testing. > What happens to your plugin if either the client or the server (but only one) > moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals > to NFS principals regardless of where it is running? > > I have a more basic confusion though: I can't tell from the design page > whether rpc.idmapd is using sssd to get ids or vice versa… > yes, rpc.idmapd is calling an sssd plugin to resolve identities. > Bryce > > > > > This electronic message contains information generated by the USDA solely for > the intended recipients. Any unauthorized interception of this message or the > use or disclosure of the information it contains may violate the law and > subject the violator to civil or criminal penalties. If you believe you have > received this message in error, please notify the sender and delete the email > immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
