[31240] in Kerberos
RE: krb5_aname_to_localname() issue
daemon@ATHENA.MIT.EDU (miguel.sanders@arcelormittal.com)
Sat Jun 6 08:43:15 2009
MIME-Version: 1.0
Date: Sat, 6 Jun 2009 14:41:46 +0200
Message-ID: <7DF29B50FFF41848BB2281EC2E71A206C11274@GEN-MXB-V04.msad.arcelor.net>
In-Reply-To: <4A2A4AC5.9010504@it.uib.no>
From: miguel.sanders@arcelormittal.com
To: bjorn.sund@it.uib.no, Guillaume.Rousse@inria.fr
Content-class: urn:content-classes:message
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Very cryptic indeed, especially when you want to play around with all instance components.
It was more like trial and error for me tbh.
Met vriendelijke groet
Best regards
Bien à vous
Miguel SANDERS
ArcelorMittal Gent
UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent
T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders@arcelormittal.com
www.arcelormittal.com/gent
-----Oorspronkelijk bericht-----
Van: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] Namens Bjørn Tore Sund
Verzonden: zaterdag 6 juni 2009 12:54
Aan: Guillaume Rousse
CC: kerberos@mit.edu
Onderwerp: Re: krb5_aname_to_localname() issue
Guillaume Rousse wrote:
> Hello list.
>
> We use apache-mod_auth_kerb 5.4, with
> KrbLocalUserMapping directive, allowing to map foo@REALM user string
> to foo, through krb5_aname_to_localname() function.
>
> However, while it works perfectly with principal from the local
> domains, it doesn't with principal from other domains, for which a
> trust relationship is established:
> krb5_aname_to_localname() found no mapping for principal
> garet@LILLE.FUTURS.INRIA.FR
>
> According to krb5_aname_to_localname man page, this is quite normal:
> This function takes a principal name, verifies that it is in the local
> realm (using krb5_get_default_realms())
>
> The man page for krb5_get_default_realms() seems to imply there could
> be several default realms, but I didn't found any way to configure it
> in krb5.conf (default_realm only takes one).
>
> So, how can I also map principals from other trusted realms ?
Here is the setting I use in /etc/krb5.conf on machines in the UNIX.UIB.NO realm to ensure that mapping works from all *.UIB.NO realms (including UIB.NO):
[realms]
UNIX.UIB.NO = {
auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*//
}
Rather cryptic, I know, but it is well documented and using google it should be fairly easy to find other examples of how to use it.
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
****
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights.
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited.
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient.
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.
****
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
