[36038] in Kerberos
Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue Apr 15 00:05:23 2014
Date: Mon, 14 Apr 2014 23:05:00 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Wang Shouhua <shouhuaw@gmail.com>
Message-ID: <20140415040500.GA8198@oracle.com>
Mail-Followup-To: Wang Shouhua <shouhuaw@gmail.com>, Kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CANzOW+J2FHqGN_jjkQvzXH4D8mantDZ2s6NYePD5W1mOia9U2g@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, Apr 12, 2014 at 11:24:28AM +0200, Wang Shouhua wrote:
> Lets recap:
>
> 1. Requirements:
> - Linux or Solaris
> - NFS automounter set up at /net
> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running
> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the
> realm MOST.GOV.CN, with a subdir of test3
>
> 2. Goal:
> A user provides his password to obtain a ticket for user2@MOST.GOV.CN
> (optionally nfs@MOST.GOV.CN, if this is a requirement to do a mount),
> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do a
> successful ls -al there
>
> Is that possible?
I don't think so. If the NFS client is only configured for realm
EXAMPLE2.COM, how will a user get a nfs service ticket for the
MOST.GOV.CN realm? The NFS client will need to be configured for
crossrealm operation in order for a user to get that service ticket once
they user has their krb TGT credential for EXAMPLE2.COM.
Second, how is the NFS server in MOST.GOV.CN going to map a principal in
EXAMPLE2.COM to a local user ID? This will require some form of
'auth_to_local*' mapping configuration on the NFS server side in
/etc/krb5/krb5.conf.
You may want to ask for more info on this on the Oracle OTN discussion
forums, read the Solaris 10 online documentation or check with your
Oracle support person.
--
Will Fiveash
Oracle Solaris Software Engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
