Mapping GSS Credentials to UNIX Credentials
The Kerberos service provides a default mapping of GSS credential names to UNIX
user IDs (UIDs) for GSS applications that require this mapping, such as NFS.
GSS credential names are equivalent to Kerberos principal names when using the Kerberos
service. The default mapping algorithm is to take a one component Kerberos principal
name and use that component, which is the primary name of the principal,
to look up the UID. The look up occurs in the default realm
or any realm that is allowed by using the auth_to_local_realm parameter in /etc/krb5/krb5.conf.
For example, the user principal name [email protected] is mapped to the UID of
the UNIX user named bob using the password table. The user principal name bob/[email protected]
would not be mapped, because the principal name includes an instance component of
admin. If the default mappings for the user credentials are sufficient, the GSS
credential table does not need to be populated. In past releases, populating the
GSS credential table was required to get the NFS service to work. If
the default mapping is not sufficient, for example if you want to map
a principal name which contains an instance component, then other methods should be
used. For more information see: