27 Dec
2018
27 Dec
'18
12:27 p.m.
On 12/25/18 9:49 PM, Theodore Y. Ts'o wrote:
Now, I believe you *could* configure in the mapping
database
that authentication from some Kerberos principal such as
"tytso/root(a)ATHENA.MIT.EDU" or "host/cwcc.mit.edu(a)ATHENA.MIT.EDU"
(you
can use service principals from a Kerberos keytab as a client principal
for the purposes of machine authentication) should be mapped to uid 0.
Ted, you ultimately pointed me down the proper path.
My first few attempts at implementing what you were suggesting,
including (re)using the host/client.sub.domain.tld@REALM, didn't work
out as desired.
After much trial and tribulation, I did manage to get it working using a
different principal, root/client.sub.domain.tld@REALM.
See my previous reply to my original message for more details.
Thank you again for the very detailed reply Ted.
--
Grant. . . .
unix || die