[Freeipa-users] IPA+AD trust and NFS nobody issue

[Nordgren, Bryce L -FS]

> Would the idmap sss module we have on the list pending review help here?

My read of the design page suggests that the plugin is 66% of a solution. There are three types of identities which need to be related:

* local machine accounts/identities (meaningful to the filesystem)
* security principals (Kerberos or pki)
* NFSv4 identities (the user at example.com string NFS sends over the wire)

I see the first two represented on the design, but not the last. I suspect that this means that the plugin regards security principals and NFSv4 identities as the same thing, which may mean it won't work for multiple domains?  Let me turn the question on its head: according to the OP, the NFS server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user principals are from realm AD.EXAMPLE.ORG. Would your plugin work? What happens to your plugin if either the client or the server (but only one) moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals to NFS principals regardless of where it is running?

I have a more basic confusion though: I can't tell from the design page whether rpc.idmapd is using sssd to get ids or vice versa...

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.