On Nov 21, 2007 6:32 AM, Harshula <[email protected]> wrote:
> On Thu, 2007-11-15 at 09:12 -0500, Kevin Coffman wrote:
> > On Nov 15, 2007 5:29 AM, Harshula <[email protected]> wrote:
>
> > > In practise, what are the "other cases" where a failed
> > > nfs4_gss_princ_to_ids() lookup needs to be mapped to 'nobody'?
> >
> > You have cross-realm Kerberos trusts set up. A user from a different
> > Kerberos realm comes to your server and you have no local mapping for
> > that user.
>
> Can the KDCs be setup to handle this case?
If you are asking if the KDC can be configured to not give such users
a ticket, the answer is no. It is up to the application (NFS in this
case) to enforce authorization, Kerberos only does authentication.
(This may be another case for a configuration option. See below.)
> > A new local user is created, but has not yet been placed in the mappings.
>
> This case should fail.
My opinion is that they have successfully authenticated, and should
not be denied all access because there is no mapping. This should
probably be a configurable option.
K.C.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that [email protected] is being discontinued.
Please subscribe to [email protected] instead.
http://vger.kernel.org/vger-lists.html#linux-nfs