[Freeipa-users] IPA+AD trust and NFS nobody issue

[Simo Sorce]

On Thu, 2014-06-26 at 23:21 +0000, Nordgren, Bryce L -FS wrote:
> > The second @ is not provided by kerberos, it is rpcimapd making false
> > assumptions, it does a getpwuid and gets back adtest at ad.example.org as
> > the username, to which it decides to slap on the local REALM name with an @
> > sign in between.
> >
> > I think this is something that may be handled with imapd.conf configuration.
> 
> Muchas gracias. This makes sense.
> 
> Found an old presentation on the topic [1]. Slide 15 is particularly
> relevant. Slide 4, however, taught me something I didn't know: NFS
> wants to deal with NFSv4 domain names (slide 3), which can be
> different than GSS principal names (Kerberos principals). There is
> only one NFS domain, but there can be multiple security realms and
> multiple DNS domains (slide 2).
> 
> The crux of this is on slide 14: "Need to add posixAccount with
> GSSAuthName for UID/GID mapping of remote user".  Is this another use
> case for views?

Yes, it *may* be.

> What I'm not quite clear on is the interaction between idmapd and ldap
> (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser"
> schema on the LDAP server? Is this schema something that FreeIPA would
> have to support for NFS to work with cross-realm trusts? Or has the
> landscape changed since this 2005 presentation?

The landscape has changed and evolved, and I never really saw adoption
of this CITI proposal myself. It may have happened somewhere I guess,
but I do not think it is prevalent.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York