On Aug 19, 2011, at 6:35 PM, paul.szabo@xxxxxxxxxxxxx wrote: > Dear Andy, > >> Note that only AUTH_SYS sends GID and GID lists in the rpc_cred. >> RPCSEC_GSS with Kerberos only sends the krb5 principal to the server. >> The server looks up group membership via nsswitch - either /etc/groups >> ... > > Can the server be set so as to ignore any AUTH_SYS sends, and accept > RPCSEC_GSS only? For now, yes. Use sec=krb5 and/or krb5i,krb5p export options without sec=sys. > >> idmapd only deals with groups when a SETATTR arrives with ACE who's that >> are group names where it maps the groupname@domain to a gid, or a >> GETATTR ACL request where it maps gid->groupname@domain > > Can the server be set so as to ignore any attempts from the client to > set group memberships, but always set its own from /etc/group? This is the only behavior the Linux server currently has with Kerberos - it always queries it's local view of group membership. Note that if the Windows Active Directory is used as a Kerberos KDC, it adds an authorization payload to the Kerberos ticket (a PAC) which contains a user's group memberships. There is an effort to add a similar payload to MIT KDC. The Linux server will eventually be able to use this information to avoid a local call to obtain group memberships. -->Andy > > Thanks, Paul > > Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
