On Thu, Mar 01, 2007 at 09:54:22AM -0700, Machin, Glenn D wrote:
>
> The default NFS domain for our servers is sandia.nfs.domain with a
> kerberos realm of sandia.gov. However we have users whose kerberos
> principals will be in a different realm, and we would like to map them
> to the NFS domain associated with their kerberos realm.
>
> Is there any way to to this on Solaris? It appears that all users will
> be in a single NFS domain.
See: gsscred(1M), gsscred.conf(4), krb5_auth_rules(5) and krb5.conf(4)
(specifically the auth_to_local* parameters)
Basically, you have to map client principals to Unix accounts. These
mappings can be done with per-mapping entries via the gsscred facility,
or with rules via krb5.conf auth_to_local* parameters.
Nico
--
