On 25 Apr 2022, at 15:14, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


You need to instruct gssproxy to use a client keytab that contains
user's keys.

You have to use user's keys in that keytab because you need to make sure
UID of the user has the same mapping between what the client runs and
what NFS server uses. For users it is done more or less automatically.
For services it is not because Kerberos services in IPA do not have
POSIX identities.

https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#keytab-based-client-initiation
describes a general solution.

Thanks a lot for pointing this. But what about this  https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#user-impersonation-via-constrained-delegation ? Do I get it correctly that with user delegation so the user keytab or a valid user credential isn’t necessary?

Will the user be able to access a mounted share without a ticket when user delegation is used?

Best,
Francis