On Fri, 2017-12-01 at 11:15 -0800, Gordon Messmer via FreeIPA-users wrote:
On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote:
gssproxy dos not use libidmapd because it is not threads safe (among other issues), it is also not needed, because you can control mapping in auth_to_local in krb5.conf and that place is the correct place to deal with identity mapping when kerberos is involved.
Not sure if I'm doing this right, but that doesn't work for me, either:
[realms] EXAMPLE.NET = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem auth_to_local = RULE:[2:$1](daemon)s/^.*$/daemon/ auto_to_local = DEFAULT }
Client's default principal is daemon/application-2017111901.example.net@EXAMPLE.NET
I think what you want is something like: RULE:[2:$1@$0](daemon@EXAMPLE.NET)s/.*//
note, this will map any daemon/<arbitrary>@REALM principals to the local 'daemon' user, be sure that's is ok.
This is a decent guide to better understand what can be done with auth_to_local: https://community.hortonworks.com/articles/14463/auth-to-local-rules-sy ntax.html
HTH, Simo.