[LU-16630] Improve Kerberos cross-realm trust remapping Created: 10/Mar/23  Updated: 16/May/23  Resolved: 11/Apr/23

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.16.0
Fix Version/s: Lustre 2.16.0

Type: Bug Priority: Minor
Reporter: Sebastien Buisson Assignee: Sebastien Buisson
Resolution: Fixed Votes: 0
Labels: kerberos, sec

Issue Links:
Related
Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

Currently lsvcgssd does have the notion of a "remote user", however its remapping configuration requires listing all users and their UID in a text file (/etc/lustre/idmap.conf)

It should be possible to call gss_localname() (which in turn would be fed to getpwnam) to resolve usernames. gss_localname goes through the auth_to_local translation rules in krb5.conf and thus can easily be configured by administrators.

 Comments   
Comment by Gerrit Updater [ 10/Mar/23 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/50259
Subject: LU-16630 sec: improve Kerberos cross-realm trust remapping
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: c5a054a42b237dd17366dd580b6113493c4a4b1b

Comment by Gerrit Updater [ 11/Apr/23 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/50259/
Subject: LU-16630 sec: improve Kerberos cross-realm trust remapping
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 3214d4d860e36b6aa07addad9e600fd754fc9149

Comment by Peter Jones [ 11/Apr/23 ]

Landed for 2.16

Generated at Sat Feb 10 03:28:39 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.