[Freeipa-users] IPA+AD trust and NFS nobody issue
Simo Sorce
simo at redhat.com
Thu Jun 26 22:42:37 UTC 2014
On Thu, 2014-06-26 at 22:02 +0000, Nordgren, Bryce L -FS wrote:
> > The reason is that rpcidmapd` does not parse fully-qualified usernames
> > so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work.
>
> If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts)
>
> I know about individual cross-realm principals,
>
> adtest/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG
>
> And I know about cross-realm trust principals:
>
> krbtgt/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG
>
> But I was under the impression that if a user traversed a trust, their client principal name would still be adtest at AD.EXAMPLE.ORG . I am not aware of any circumstances which would produce a client principal with two "@" signs in it. Pls fix my ignorance.
The second @ is not provided by kerberos, it is rpcimapd making false
assumptions, it does a getpwuid and gets back adtest at ad.example.org as
the username, to which it decides to slap on the local REALM name with
an @ sign in between.
I think this is something that may be handled with imapd.conf
configuration.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list