[31239] in Kerberos
Re: krb5_aname_to_localname() issue
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=)
Sat Jun 6 06:55:17 2009
Message-ID: <4A2A4AC5.9010504@it.uib.no>
Date: Sat, 06 Jun 2009 12:53:57 +0200
From: =?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?= <bjorn.sund@it.uib.no>
MIME-Version: 1.0
To: Guillaume Rousse <Guillaume.Rousse@inria.fr>
In-Reply-To: <4A269123.7030204@inria.fr>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Guillaume Rousse wrote:
> Hello list.
>
> We use apache-mod_auth_kerb 5.4, with
> KrbLocalUserMapping directive, allowing to map foo@REALM user string to
> foo, through krb5_aname_to_localname() function.
>
> However, while it works perfectly with principal from the local domains,
> it doesn't with principal from other domains, for which a trust
> relationship is established:
> krb5_aname_to_localname() found no mapping for principal
> garet@LILLE.FUTURS.INRIA.FR
>
> According to krb5_aname_to_localname man page, this is quite normal:
> This function takes a principal name, verifies that it is in the local
> realm (using krb5_get_default_realms())
>
> The man page for krb5_get_default_realms() seems to imply there could be
> several default realms, but I didn't found any way to configure it in
> krb5.conf (default_realm only takes one).
>
> So, how can I also map principals from other trusted realms ?
Here is the setting I use in /etc/krb5.conf on machines in the
UNIX.UIB.NO realm to ensure that mapping works from all *.UIB.NO realms
(including UIB.NO):
[realms]
UNIX.UIB.NO = {
auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*//
}
Rather cryptic, I know, but it is well documented and using google it
should be fairly easy to find other examples of how to use it.
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
