[Freeipa-users] IPA+AD trust and NFS nobody issue
Jakub Hrozek
jhrozek at redhat.com
Fri Jun 27 07:42:32 UTC 2014
On Thu, Jun 26, 2014 at 06:42:37PM -0400, Simo Sorce wrote:
> On Thu, 2014-06-26 at 22:02 +0000, Nordgren, Bryce L -FS wrote:
> > > The reason is that rpcidmapd` does not parse fully-qualified usernames
> > > so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work.
> >
> > If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts)
> >
> > I know about individual cross-realm principals,
> >
> > adtest/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG
> >
> > And I know about cross-realm trust principals:
> >
> > krbtgt/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG
> >
> > But I was under the impression that if a user traversed a trust, their client principal name would still be adtest at AD.EXAMPLE.ORG . I am not aware of any circumstances which would produce a client principal with two "@" signs in it. Pls fix my ignorance.
>
> The second @ is not provided by kerberos, it is rpcimapd making false
> assumptions, it does a getpwuid and gets back adtest at ad.example.org as
> the username, to which it decides to slap on the local REALM name with
> an @ sign in between.
>
> I think this is something that may be handled with imapd.conf
> configuration.
>
> Simo.
Would the idmap sss module we have on the list pending review help here?
More information about the Freeipa-users
mailing list