From: Harshula Subject: Re: [NFS] libnfsidmap Date: Fri, 23 Nov 2007 15:00:49 +1100 Message-ID: <1195790449.5730.12.camel@serendib.melbourne.sgi.com> References: <1193136846.5620.504.camel@serendib.melbourne.sgi.com> <1195024312.19850.130.camel@serendib.melbourne.sgi.com> <4d569c330711140659q2ba19b03n481c3360a9373991@mail.gmail.com> <1195122558.19850.146.camel@serendib.melbourne.sgi.com> <4d569c330711150612n57d4f4deud19532569b2214d8@mail.gmail.com> <1195644766.19850.252.camel@serendib.melbourne.sgi.com> <4d569c330711210511x3f06562cp1a5886eaeaaea953@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: nfs@lists.sourceforge.net To: Kevin Coffman Return-path: Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.92] helo=mail.sourceforge.net) by sc8-sf-list2-new.sourceforge.net with esmtp (Exim 4.43) id 1IvPir-0000cJ-SM for nfs@lists.sourceforge.net; Thu, 22 Nov 2007 20:00:58 -0800 Received: from netops-testserver-3-out.sgi.com ([192.48.171.28] helo=relay.sgi.com ident=[U2FsdGVkX19x24KObIHiZaVHrnDcK1x93fhKJOqMXSU=]) by mail.sourceforge.net with esmtp (Exim 4.44) id 1IvPiw-0004UW-N5 for nfs@lists.sourceforge.net; Thu, 22 Nov 2007 20:01:03 -0800 In-Reply-To: <4d569c330711210511x3f06562cp1a5886eaeaaea953-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: Hi Kevin, On Wed, 2007-11-21 at 08:11 -0500, Kevin Coffman wrote: > On Nov 21, 2007 6:32 AM, Harshula wrote: > > On Thu, 2007-11-15 at 09:12 -0500, Kevin Coffman wrote: > > > You have cross-realm Kerberos trusts set up. A user from a different > > > Kerberos realm comes to your server and you have no local mapping for > > > that user. > > > > Can the KDCs be setup to handle this case? > > If you are asking if the KDC can be configured to not give such users > a ticket, the answer is no. No, I was referring to cross-realm authentication: http://www.faqs.org/faqs/kerberos-faq/general/section-18.html > > > A new local user is created, but has not yet been placed in the mappings. > > > > This case should fail. > > My opinion is that they have successfully authenticated, and should > not be denied all access because there is no mapping. This should > probably be a configurable option. If it is going to be configurable, I hope the default will be the 'secure' option of disallowing users without mappings. If a new local user is created and there is no mapping, then it's either a misconfiguration or intentional. We should not be catering for the misconfiguration. cya, # ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs _______________________________________________ Please note that nfs@lists.sourceforge.net is being discontinued. Please subscribe to linux-nfs@vger.kernel.org instead. http://vger.kernel.org/vger-lists.html#linux-nfs