Hi Kevin,
On Wed, 2007-11-21 at 08:11 -0500, Kevin Coffman wrote:
> On Nov 21, 2007 6:32 AM, Harshula <[email protected]> wrote:
> > On Thu, 2007-11-15 at 09:12 -0500, Kevin Coffman wrote:
> > > You have cross-realm Kerberos trusts set up. A user from a different
> > > Kerberos realm comes to your server and you have no local mapping for
> > > that user.
> >
> > Can the KDCs be setup to handle this case?
>
> If you are asking if the KDC can be configured to not give such users
> a ticket, the answer is no.
No, I was referring to cross-realm authentication:
http://www.faqs.org/faqs/kerberos-faq/general/section-18.html
> > > A new local user is created, but has not yet been placed in the mappings.
> >
> > This case should fail.
>
> My opinion is that they have successfully authenticated, and should
> not be denied all access because there is no mapping. This should
> probably be a configurable option.
If it is going to be configurable, I hope the default will be the
'secure' option of disallowing users without mappings. If a new local
user is created and there is no mapping, then it's either a
misconfiguration or intentional. We should not be catering for the
misconfiguration.
cya,
#
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that [email protected] is being discontinued.
Please subscribe to [email protected] instead.
http://vger.kernel.org/vger-lists.html#linux-nfs