[Freeipa-users] IPA+AD trust and NFS nobody issue

[Nordgren, Bryce L -FS]

> The second @ is not provided by kerberos, it is rpcimapd making false
> assumptions, it does a getpwuid and gets back adtest at ad.example.org as
> the username, to which it decides to slap on the local REALM name with an @
> sign in between.
>
> I think this is something that may be handled with imapd.conf configuration.

Muchas gracias. This makes sense.

Found an old presentation on the topic [1]. Slide 15 is particularly relevant. Slide 4, however, taught me something I didn't know: NFS wants to deal with NFSv4 domain names (slide 3), which can be different than GSS principal names (Kerberos principals). There is only one NFS domain, but there can be multiple security realms and multiple DNS domains (slide 2).

The crux of this is on slide 14: "Need to add posixAccount with GSSAuthName for UID/GID mapping of remote user".  Is this another use case for views?

What I'm not quite clear on is the interaction between idmapd and ldap (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" schema on the LDAP server? Is this schema something that FreeIPA would have to support for NFS to work with cross-realm trusts? Or has the landscape changed since this 2005 presentation?

Bryce

[1] http://www.citi.umich.edu/projects/nfsv4/crossrealm/ASC_NFSv4_WKSHP_X_DOMAIN_N2ID.pdf




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.