Hi All,

 

We are trying to use ganehsa with KRB. On NFS client centos7.5 we are joining Active Directory based using sssd(AD based KRB Realm). For root user we are getting krb ticket using kinit and valid AD user. 

 

Client principal while joining domain using sssd a default principal of shorthostname$@REALM.COM is always generated. gss.rpcd by default send this principal as principal user name to ganesha server. Client do have other principal like nfs/client_fdqn@REALM.COM. But as per rpc.gssd documentation as well first choice would be shorthostname$@REALM.COM.

 

Due to this server always recognize root user as someone else i.e.  shorthostname$@REALM.COM. 

 

We do see in src/idmapper/idmapper.c handling for mapping three principal patterns  nfs/* , root/*, host/* to uid=0, gid=0. So this left shorthostname$@REALM.COM principal not being recognized as root. 

 

We are of the opinion that doing a small fix in above idmapper code to add this pattern as well can fix this issue.

 

But we wanted to know any security concern around it? Or if the client behavior can be change in any way, so we don’t need this fix?

 

If we try removing this shorthostname$@REALM.COM principal after domain join, sssd cannot be re-loaded and complains about not finding this principal.

 

Thanks

-pushpesh