[NFS-Ganesha-Devel] Default KRB Principal name with new rpc.gssd

Hi All, Any pointers are appreciated.. -pushpesh From: Pushpesh Sharma <pushpeshs(a)vmware.com&gt; Sent: Thursday, January 16, 2020 7:45 PM To: devel(a)lists.nfs-ganesha.org Subject: [NFS-Ganesha-Devel] Default KRB Principal name with new rpc.gssd Hi All, We are trying to use ganehsa with KRB. On NFS client centos7.5 we are joining Active Directory based using sssd(AD based KRB Realm). For root user we are getting krb ticket using kinit and valid AD user. Client principal while joining domain using sssd a default principal of shorthostname$@REALM.COM<mailto:shorthostname$@REALM.COM> is always generated. gss.rpcd by default send this principal as principal user name to ganesha server. Client do have other principal like nfs/client_fdqn@REALM.COM<mailto:nfs/client_fdqn@REALM.COM>. But as per rpc.gssd documentation<mailto:rpc.gssd%20documentation> as well first choice would be shorthostname$@REALM.COM<mailto:shorthostname$@REALM.COM>. Due to this server always recognize root user as someone else i.e. shorthostname$@REALM.COM<mailto:shorthostname$@REALM.COM>. We do see in src/idmapper/idmapper.c<https://nam04.safelinks.protection.outlook.com... handling for mapping three principal patterns nfs/* , root/*, host/* to uid=0, gid=0. So this left shorthostname$@REALM.COM<mailto:horthostname$@REALM.COM> principal not being recognized as root. We are of the opinion that doing a small fix in above idmapper code to add this pattern as well can fix this issue. But we wanted to know any security concern around it? Or if the client behavior can be change in any way, so we don't need this fix? If we try removing this shorthostname$@REALM.COM<mailto:shorthostname$@REALM.COM> principal after domain join, sssd cannot be re-loaded and complains about not finding this principal. Thanks -pushpesh