git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Fri, 10 Mar 2023 17:02:31 +0000 (18:02 +0100)
committer	Oleg Drokin <green@whamcloud.com>
	Tue, 11 Apr 2023 21:56:56 +0000 (21:56 +0000)
commit	3214d4d860e36b6aa07addad9e600fd754fc9149
tree	2cf9925b2473725f57ed6b7a615d24e00d9b5860	tree \| snapshot
parent	4f5eb6cfeae20dd14a1eb441515892ac8c27d196	commit \| diff

LU-16630 sec: improve Kerberos cross-realm trust remapping

Improve Kerberos cross-realm trust remapping by leveraging existing
Kerberos mechanisms. gss_localname() can be used to resolve usernames:
it goes through the auth_to_local translation rules in krb5.conf and
thus can easily be configured by security administrators.
This new mechanism does not replace the existing and rudimentary
mapping based on /etc/lustre/idmap.conf. If /etc/lustre/idmap.conf
exists, it is used for user mapping. If not, the new mechanism based
on gss_localname() gets involved.
But we now print a warning that idmap.conf is deprecated if we detect
it is in use.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Iaaf15a757dc246673e2f412181219cc978079fab
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/50259
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Jonathan Calmels <jcalmels@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

lustre/utils/gss/err_util.h		diff \| blob \| history
lustre/utils/gss/lgss_utils.h		diff \| blob \| history
lustre/utils/gss/lsupport.c		diff \| blob \| history
lustre/utils/gss/lsupport.h		diff \| blob \| history
lustre/utils/gss/svcgssd.c		diff \| blob \| history
lustre/utils/gss/svcgssd.h		diff \| blob \| history
lustre/utils/gss/svcgssd_main_loop.c		diff \| blob \| history
lustre/utils/gss/svcgssd_proc.c		diff \| blob \| history