Re: NFSv4 cross-realm support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 07 Jul 2014 17:24:52 -0400, Andy Adamson wrote:

> I have never used the olcAuthzRegexp. Is this used to map potentially
> multiple principal@REALM names to the same UID name/number?

Correct. AFAIK MIT Kerberos doesn't issue tickets containing additional 
authorization data, so my site stores it in an OpenLDAP DIT. Moreover, 
when OpenLDAP is used as a backend for MIT Kerberos, it does a much 
better job at database synchronization than kprop. olcAuthzRegexp is a 
regular expression that maps GSSAPI-format user names to LDAP names. For 
example:

  olcAuthzRegexp: uid=([^,]+),cn=example.com,cn=gssapi,cn=auth
    uid=$1,ou=people,dc=example,dc=com

This works great for same-realm authentication, mapping bob@xxxxxxxxxxx 
to the corresponding LDAP entry in ou=people where his account metadata 
is stored, containing UID, GID, shell and home directory information.

See http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php for 
a more complete explanation.

For a cross-realm situation, that regex can be modified to map accounts 
from another trusted realm to an account with the same name in the local 
realm. However, in a bit of a twist, a foreign account, bob@xxxxxxxxxxx, 
will start out with a slightly different GSSAPI format:

  uid=bob@xxxxxxxxxxx,cn=example.com,cn=gssapi,cn=auth

The aforementioned olcAuthzRegexp maps it to:

  uid=bob@xxxxxxxxxxx,ou=people,dc=example,dc=com

As a result, Bob's LDAP entry is not found, even though he is allowed to 
browse the local DIT (that just works). So, to make sure it works for 
users in the foreign realm, like Bob, who also happen to have a matching 
account in the local realm, I modified the regex to look like this:

  uid=([^,@]+)(@example.net)*,cn=example.com,cn=gssapi,cn=auth

That's one problem solved. Now what I need is for NFS to play nice. IMO, 
rpc.svcgssd should simply ask the local KDC if the foreign realm is to be 
trusted. Apparently, that's the way OpenLDAP, SSH and Dovecot IMAP do it, 
but that's not happening at the moment. So is this a bug, or what?

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux