On 12/25/18 9:49 PM, Theodore Y. Ts'o wrote:
> Now, I believe you *could* configure in the mapping database 
> that authentication from some Kerberos principal such as 
> "tytso/root@ATHENA.MIT.EDU" or "host/cwcc.mit.edu@ATHENA.MIT.EDU" (you 
> can use service principals from a Kerberos keytab as a client principal 
> for the purposes of machine authentication) should be mapped to uid 0.

Ted, you ultimately pointed me down the proper path.

My first few attempts at implementing what you were suggesting, 
including (re)using the host/client.sub.domain.tld@REALM, didn't work 
out as desired.

After much trial and tribulation, I did manage to get it working using a 
different principal, root/client.sub.domain.tld@REALM.

See my previous reply to my original message for more details.

Thank you again for the very detailed reply Ted.



-- 
Grant. . . .
unix || die