[32741] in Kerberos
Documentation of auth_to_local
daemon@ATHENA.MIT.EDU (Brian Candler)
Thu Sep 30 07:17:02 2010
Date: Thu, 30 Sep 2010 12:16:52 +0100
From: Brian Candler <B.Candler@pobox.com>
To: kerberos@mit.edu
Message-ID: <20100930111652.GA3393@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have been trying out Kerberos under CentOS 5.5, which claims to include
MIT kerberos version 1.6.1:
# rpm -qi krb5-server
Name : krb5-server Relocations: (not relocatable)
Version : 1.6.1 Vendor: CentOS
...
URL : http://web.mit.edu/kerberos/www/
Now, in the administrator's guide on the web at
http://web.mit.edu/Kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#realms%20(krb5.conf)
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#realms-_0028krb5_002econf_0029
http://web.mit.edu/Kerberos/krb5-1.7/krb5-1.7.1/doc/krb5-admin.html#realms%20(krb5.conf)
it gives the following example usage of auth_to_local:
[realms]
ATHENA.MIT.EDU = {
auth_to_local = {
RULE:[2:$1](johndoe)s/^.*$/guest/
RULE:[2:$1;$2](^.*;admin$)s/;admin$//
RULE:[2:$2](^.*;root)s/^.*$/root/
DEFAULT
}
}
However, this doesn't work for me. Even just
[realms]
BAR.EXAMPLE.COM = {
...
auth_to_local = {
DEFAULT
}
}
was rejected. sshd logs showed:
debug1: userauth-request for user candlerb service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 1
debug1: An invalid name was supplied
Improper format of Kerberos configuration file
However, the following seems to work just fine:
[realms]
BAR.EXAMPLE.COM = {
kdc = kdc.bar.example.com:88
admin_server = kdc.bar.example.com:749
default_domain = bar.example.com
auth_to_local = RULE:[1:$1@$0](^.*@FOO\.EXAMPLE\.COM$)s/@FOO.EXAMPLE.COM$//
auth_to_local = DEFAULT
}
Based on that, I think the documentation should show:
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auth_to_local = DEFAULT
}
But is it that the version of Kerberos bundled with RedHat/CentOS is
different from the mainline MIT code?
Regards,
Brian Candler.
P.S. The hint to try a different format of auth_to_local came from
http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
