On 06/28/2015 11:31 PM, Jonas Meurer wrote:
> Am 28.06.2015 um 20:30 schrieb Christian Seiler:
>> Also, I just noticed that your principal name was mail/nfs-client.
>> Did you set up idmapping on the server correctly for that to work?
>
> Yes, I fiddled around with static mapping. But now that I read your
> explanation, using usernames without hostname as principal name sounds
> way more obvious. As you can see above, I changed this now.
Well, depends on what you want to achieve. If you have lots of
different NFS clients that all have system users with the same name but
each client shouldn't be able to access the data of other clients, then
having static mappings for individualized principal names (and on the
clients a different static mapping) could make sense.
Example:
host1: static mapping user mail <-> principal mail/host1
host2: static mapping user mail <-> principal mail/host2
server: static mapping user mail1 <-> principal mail/host1
user mail2 <-> principal mail/host2
+ permissions set in such a manner that that the users mail1 and mail2
can only read their own directories.
I just didn't suggest it in your case since you also have
no_root_squash in there, which really defeats the purpose of an
exercise like this. ;-)
But if you do squash root, AND you have multiple servers that should
only see their own stuff, it could make sense. (Haven't used it myself,
though.)
In the end, it really depends on the use case (and your paranoia
level ;-)). But usually I prefer the simpler solution.
Christian
Attachment:
signature.asc
Description: OpenPGP digital signature