Name translation problem using kerberized NFSv3 with Active Directory

varun mittal vmittal05 at
Mon Oct 29 03:40:32 EDT 2012

We are trying to setup NFSv3 Kerberos with Active Directory. The server is
configured with Active Directory using 'winbind'
Our NFS server recognizes the AD user names in the format
'domain\<username>' [due to winbind in nsswitch]. The name format is fixed
and cannot be changed (some policy constraints).

The issue we are having is that the principal name in NFS RPC layer is of
the format 'username at realm' . This leads to idmapping failure when NFS
server tries to map the name part of the principal name to a UID [since
'username' doesn't comply with the format ''domain\username']

Probable solution:
There is an option in krb5.conf 'auth_to_local' which provides name
translation which can be solution my problem

Currently the RULE format in auth_to_local supports the form [from file
                "s/" <regexp> "/" <text> "/" ["g"]

What I need is something like this [the way they handle in sed]:
                "s/" <regexp> "/" <regexp> "/" ["g"]

so that I can 'append' the 'domain\' to each of the incoming 'username'

a) Is my understanding of the above potential solution correct ? Or does
there exist an alternate solution to this issue ?
b) Is such a mechanism already available or is in pipeline ?

Note: I cannot use the DB:<filename> since number of users is too high and
change frequently.

Thanks in advance

More information about the krbdev mailing list