On 08/03/2011 02:05 AM, Tom H wrote: > NFSv4 works without Kerberos or LDAP/NIS/NIS+. Of course it does, but can the permissions be exported per user by UID/GID mask or are the exports still blanket ro/rw (which is the real point of this thread)? Further, can you escape from the nfs_mount_t context and give native SELinux contexts to the export on the client side with this setup? (That would be really cooking from one perspective, but also pretty insecure without authentication -- which is why I had always been under the impression that this was specifically forbidden.) > The username and idmapd domain have to match (perhaps the UID too but > I've never tried different UIDs as you suggest above and the > description of idmapd does say that the ID is sent as > username@domain). That would be neat. Can you direct me to a sample idmapd configuration that achieves this: rpc.idmapd + hostname-declared domains that are common (does DNS need to be enabled for this?) + /etc/passwd and /etc/group files + NFSv4 UIDs and GIDs accurately mapped for permissions across exports (not just ro or blanket rw). It could fill in some holes and perhaps I've just never been able to find the right way to make idmapd domains stick with SELinux enabled without using some form of authentication. Is sssd or nslcd or nscd required somewhere in there, or do these just satisfy Kerberos requirements? If I can get a configuration like this working it would help the OP in the short run, and provide more insight for the tutorial I want to write. -Iwao -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
