View this book in:

Solaris 10 System Administrator Collection >> System Administration Guide: Security Services >> Kerberos Service >> 22.  Planning for the Kerberos Service >> Mapping GSS Credentials to UNIX Credentials

Previous: The Number of Slave KDCs

Mapping GSS Credentials to UNIX Credentials

The Kerberos service provides a default mapping of GSS credential names to UNIX user IDs (UIDs) for GSS applications that require this mapping, such as NFS. GSS credential names are equivalent to Kerberos principal names when using the Kerberos service. The default mapping algorithm is to take a one component Kerberos principal name and use that component, which is the primary name of the principal, to look up the UID. The look up occurs in the default realm or any realm that is allowed by using the auth_to_local_realm parameter in /etc/krb5/krb5.conf. For example, the user principal name bob@EXAMPLE.COM is mapped to the UID of the UNIX user named bob using the password table. The user principal name bob/admin@EXAMPLE.COM would not be mapped, because the principal name includes an instance component of admin. If the default mappings for the user credentials are sufficient, the GSS credential table does not need to be populated. In past releases, populating the GSS credential table was required to get the NFS service to work. If the default mapping is not sufficient, for example if you want to map a principal name which contains an instance component, then other methods should be used. For more information see:

• How to Create a Credential Table

• How to Add a Single Entry to the Credential Table

• How to Provide Credential Mapping Between Realms

• Observing Mapping from GSS Credentials to UNIX Credentials

Next: Automatic User Migration to a Kerberos Realm