On Sat, Apr 12, 2014 at 11:24:28AM +0200, Wang Shouhua wrote: > Lets recap: > > 1. Requirements: > - Linux or Solaris > - NFS automounter set up at /net > - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running > - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the > realm MOST.GOV.CN, with a subdir of test3 > > 2. Goal: > A user provides his password to obtain a ticket for us...@most.gov.cn > (optionally n...@most.gov.cn, if this is a requirement to do a mount), > and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do a > successful ls -al there > > Is that possible?
I don't think so. If the NFS client is only configured for realm EXAMPLE2.COM, how will a user get a nfs service ticket for the MOST.GOV.CN realm? The NFS client will need to be configured for crossrealm operation in order for a user to get that service ticket once they user has their krb TGT credential for EXAMPLE2.COM. Second, how is the NFS server in MOST.GOV.CN going to map a principal in EXAMPLE2.COM to a local user ID? This will require some form of 'auth_to_local*' mapping configuration on the NFS server side in /etc/krb5/krb5.conf. You may want to ask for more info on this on the Oracle OTN discussion forums, read the Solaris 10 online documentation or check with your Oracle support person. -- Will Fiveash Oracle Solaris Software Engineer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos