git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Fri, 10 Mar 2023 17:02:31 +0000 (18:02 +0100)
committer	Andreas Dilger <adilger@whamcloud.com>
	Tue, 25 Apr 2023 03:34:31 +0000 (03:34 +0000)
commit	d72a8cfb23ab1595e661e9305e00b85e2c609563
tree	087a0e5d8a37bef2b693e7cd03728e3fc4a7cd57	tree \| snapshot
parent	bcb7fc9eab1952dcd2f3e5248e6b21fa0e19012e	commit \| diff

LU-16630 sec: improve Kerberos cross-realm trust remapping

Improve Kerberos cross-realm trust remapping by leveraging existing
Kerberos mechanisms. gss_localname() can be used to resolve usernames:
it goes through the auth_to_local translation rules in krb5.conf and
thus can easily be configured by security administrators.
This new mechanism does not replace the existing and rudimentary
mapping based on /etc/lustre/idmap.conf. If /etc/lustre/idmap.conf
exists, it is used for user mapping. If not, the new mechanism based
on gss_localname() gets involved.
But we now print a warning that idmap.conf is deprecated if we detect
it is in use.

Lustre-change: https://review.whamcloud.com/50259
Lustre-commit: 3214d4d860e36b6aa07addad9e600fd754fc9149

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Iaaf15a757dc246673e2f412181219cc978079fab
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/50292
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>

lustre/utils/gss/err_util.h		diff \| blob \| history
lustre/utils/gss/lgss_utils.h		diff \| blob \| history
lustre/utils/gss/lsupport.c		diff \| blob \| history
lustre/utils/gss/lsupport.h		diff \| blob \| history
lustre/utils/gss/svcgssd.c		diff \| blob \| history
lustre/utils/gss/svcgssd.h		diff \| blob \| history
lustre/utils/gss/svcgssd_main_loop.c		diff \| blob \| history
lustre/utils/gss/svcgssd_proc.c		diff \| blob \| history