search

gssapi / gssproxy

A proxy for GSSAPI | Docs at https://github.com/gssapi/gssproxy/tree/main/docs
Other
44 stars 28 forks source link

Reference that libidmap interface is not implemented and that one hat to use the krb5.conf for id-mapping requirements. #101

Closed simo5 closed 6 months ago

simo5 commented 6 months ago

I think it would be sufficient to write that libidmap interface is not implemented and that one hat to use the krb5.conf for id-mapping requirements.

Am Freitag, 3. Mai 2024, 15:00:47 CEST schrieb Simo Sorce:

I would accept a patch to the NFS.md doc if you have a clear idea of what to write, or even just an issue that describes precisely the kind of change you'd think would make this clearer in the doc.

Originally posted by @trupf in https://github.com/gssapi/gssproxy/discussions/100#discussioncomment-9306182

simo5 commented 6 months ago

@trupf what do you think about #102 ?

trupf commented 6 months ago

Am Freitag, 3. Mai 2024, 16:28:20 CEST schrieb Simo Sorce:

@trupf what do you think about #102 ?

For me as a user it is enough to know that it is not implemented and /etc/idmap.conf is ignored, but I can use auth_to local in krb5.conf instead. Of course, you can explain the background/reasons if you want, but that's more for developers or to discourage people from requesting this feature. Maybe instead write that it is just a redundant feature and there are no plans to implement it in future. By the way, I use "auth_to_local_names" now in krb5.conf, which is very similar to the format in idmap.conf. Anyway your explanation is also good for me if you want t give more information...

simo5 commented 6 months ago

Yes I want to give a little more explanation to avoid people coming back and asking for the feature. So given what I have is a superset of what you need and it seem you say it does convey the info you were looking for I'll go ahead. Thanks.

trupf commented 6 months ago

I figured one additional comment:

rpc.idmap is still required to run on the server for mapping of user names to user ids, as the same user may have different ids on server and client. I just tried disabling it but than user mapping (for file owners and groups) is done based on the ids not names. This is a feature of nfs4 that still requires idmap to run, independent of kerberos authentication. So other entries like for example the "domain = your.kerberos.domain" setting may still be required in idmap.conf.

Am Freitag, 3. Mai 2024, 18:36:24 CEST schrieb Simo Sorce:

Closed #101 as completed via #102.