[osol-discuss] Re: Mapping Kerberos principal name to NFS Domain

[Glenn Machin]

> Glenn Machin wrote:
> > The default NFS domain for our servers is
> sandia.nfs.domain with a kerberos realm of
> sandia.gov. However we have users whose kerberos
> principals will be in a different realm, and we would
> like to map them to the NFS domain associated with
> their kerberos realm.
> > 
> > Is there any way to to this on Solaris?  It appears
> that all users will be in a single NFS domain.
> 
> Do you really mean NFSMAPID_DOMAIN is set to
> sandia.nfs.domain rather 
> than matching the DNS domain ?  Or do you mean the
> NIS domain is 
> sandia.nfs.domain ?
> 
> If so why did you set the NFS domain to be something
> that doesn't match 
> the default DNS domain ?
> 

I used representative names for the NFS domain and Kerberos realm.  The reason being that neither one necessary has to match up with the DNS domain.

What I want to do is map kerberos principal to account and account to NFS4 domain.  With Linux (reference model at CITI) there is the idmapd which can use LDAP and 2 attributes GSSauthname to map Kerberos principal to account and NFSv4name which maps account to NFS domain name.   

> Are you using Kerberos for NFS authentication ?
Yes

> See nfsmapid(1M).
I did but it appeared to map all accounts to a single NFS4 domain. I could not say gmachin is NFS4domain-name: gmachin at sandia.gov and jsmith is NFS4domain-name: johnsmith at llnl.gov

> 
> I seem to remember there being an API (maybe not
> publicly documented) 
> for building custom mapping daemons.  The best place
> to find out more 
> about this would be in the NFS community of
> OpenSolaris.

Thanks I posted this message there as well.  I'm a newbie to this list and did not see the nfs discussion list until after I posted this.
 
 
This message posted from opensolaris.org