Dear Bruce, >> Does that "work" also against the "evil remote root" e.g. when the >> remote machine is compromised? > > ... Nothing you can do about that. Thanks for the confirmation. > ... if several people each have their own client ... Not my situation. >>> If you are using NFSv4 and kerberos than there already exist >>> interfaces to do what you want. See "man idmap.conf". ... >> >> Sorry I do not use NFSv4 or kerberos, yet. ... > > Look for "static" in a recent version of the idmapd.conf man page. Thanks for the hint. Still, [Static] seems to translate UIDs only, seems to need umich_ldap and [UMICH_SCHEMA] for group memberships. Maybe idmapd ignores group membership lists as received from the client and sets the "local" list for each UID? - I guess I will need to investigate further how NFSv4 and idmapd work and try to implement them on my network. Thanks, Paul Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
