Hi I have a personal IETF draft that deals with some of the NFSv4 cross realm issues. This is a good place to start. http://datatracker.ietf.org/doc/draft-adamson-nfsv4-multi-domain-federated-fs-reqs/ On Wed, Jul 2, 2014 at 1:42 PM, Jaap Winius <jwinius@xxxxxxx> wrote: > Hi folks, > > Recently I've been working on cross-realm support to give my own MIT > Kerberos realm, UMRK.NL, access to the services of a realm that I manage. > All systems involved run Debian wheezy. So far, SSH, OpenLDAP, OpenAFS > and Dovecot IMAP are all working properly this way, but NFSv4 with > sec=krb5i is not; I keep getting "Permission denied" when attempting to > read or write to any file or directory that is not globally accessible. > > When the log output verbosity for rpc.gssd and rpc.svcgssd is increased > about as far as it will go (-vvvvv), little is different when things go > wrong, other than this one line produced by rpc.svcgssd on the server: > > nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND > > However, even that seems a bit misleading, because the log output for > rpc.idmapd (with Verbosity = 5) shows that the user and group IDs for my > account are being identified properly. > > Should I prepare a bug report for this issue, or does cross-realm support > for NFSv4 require something extra? So you are supporting two Kerberos realms under one NFSv4 domain? You are using LDAP for id mapping? Which version of nfs-utils and which client kernel? e.g. # rpm -qa | grep nfs-utils # uname -a -->Andy > > Thanks, > > Jaap > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
