On 03/01/07, Nicolas Williams wrote: > On Thu, Mar 01, 2007 at 09:54:22AM -0700, Machin, Glenn D wrote: > > > > The default NFS domain for our servers is sandia.nfs.domain with a > > kerberos realm of sandia.gov. However we have users whose kerberos > > principals will be in a different realm, and we would like to map them > > to the NFS domain associated with their kerberos realm. > > > > Is there any way to to this on Solaris? It appears that all users will > > be in a single NFS domain. > > See: gsscred(1M), gsscred.conf(4), krb5_auth_rules(5) and krb5.conf(4) > (specifically the auth_to_local* parameters) > > Basically, you have to map client principals to Unix accounts. These > mappings can be done with per-mapping entries via the gsscred facility, > or with rules via krb5.conf auth_to_local* parameters.
I think what Glenn want to do is let a client in realm A and NFS mapid domain A to access a server in realm B and NFS mapid domain B. Using gsscred or krb5.conf auth_to_local parameter probably doesn't solve this problem because they only help to server side principal to unix account mapping. From my understanding, the issue is when server sends files back to client, client won't be able to get correct file owner and owner_group(the nobody issue) because client and server have different NFS mapid domain. This can't be resovlved by a method like "mapping Kerberos principal name to NFS Domain" which Glenn is looking for, because Kerberos principal name are not used in owner and owner_group strings. I think currently NFS client and server have to be in the same NFS mapid domain to communicate properly. Maybe it would be useful if nfsmapid could support cross-domain mapping? -- Regards, Raymond
