On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote:
gssproxy dos not use libidmapd because it is not threads safe (among other issues), it is also not needed, because you can control mapping in auth_to_local in krb5.conf and that place is the correct place to deal with identity mapping when kerberos is involved.
Not sure if I'm doing this right, but that doesn't work for me, either:
[realms] EXAMPLE.NET = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem auth_to_local = RULE:[2:$1](daemon)s/^.*$/daemon/ auto_to_local = DEFAULT }
Client's default principal is daemon/application-2017111901.example.net@EXAMPLE.NET