Dipit Grover has uploaded this change for review.
Idmapping: Resolve fully qualified user/group principal names
When using pw-utils for idmapping, until now Ganesha validated
the domain contained in the user/group principal names against
the configured domain-name, before resolving them to uid/gid.
On successful validation, the domain was stripped off from the
names before passing those names to pw-utils functions for
idmapping. This has some limitations:
1. The passed names can conflict with local machine users/groups,
and that may cause incorrect user/group resolution
2. In a multi-domain environment (AD trusts for example), the
actual domain must be passed for the user/group identification.
This CL addresses these limitations by passing the fully-qualified
names to pw-utils for user/group resolution.
The CL also adds a config flag in Directory_Services section
of Ganesha config, which controls whether to use fully qualified
names for idmapping with pw-utils. The default value of this
config flag is set to false, to retain the existing behavior.
Change-Id: I021c3bf5c2d4a9de39e6827e49c9b693763a155c
Signed-off-by: Dipit Grover <dipit@google.com>
---
M src/doc/man/ganesha-core-config.rst
M src/idmapper/idmapper.c
M src/include/gsh_config.h
M src/support/nfs_read_conf.c
4 files changed, 83 insertions(+), 45 deletions(-)
git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/43/1195343/1
To view, visit change 1195343. To unsubscribe, or for help writing mail filters, visit settings.