[Freeipa-users] IPA+AD trust and NFS nobody issue

[Nordgren, Bryce L -FS]

> Hi Aron,
>
> the support case you referenced is linked to bugzilla
> https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked
> for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the
> patch will be released in 6.6..

username at domain is coded in the NFS spec as an NFS id which goes over the wire. It's unclear what allowing two "@" signs means (which "@" separates username from doman, and which is part of one of these components?) While I'm sure this patch is trivial and I'm certain the patch works, it breaks interoperability with everything not running the patch (all non-linux and any non RHEL/Centos 6.6 linux). This is probably acceptable in certain closed environments, but I can never use it here.

However, patching the idmapper so that if the username already contains an "@", it doesn't add another one should also be trivial and should also work. It has the added benefit of not trashing interoperability. Conceptually, it allows sssd to convey both username and domain with no extra overhead and upgrades the linux nfs idmapper to handle living on a system which understands more than a flat namespace. To do it right, sssd always needs to supply the nfs idmapper usernames of the form "username at domain" regardless of the regex used to parse out those components at the login prompt.

I'd have put that on the bugzilla, but I can't get at it.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.