[38954] in Kerberos
AW: gss_localname() with multiple KDC/User Directories + Apache +
daemon@ATHENA.MIT.EDU (Tobias Kritten (EXT))
Tue Jul 20 12:17:04 2021
From: "Tobias Kritten (EXT)" <tk@dogado.de>
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 20 Jul 2021 16:13:48 +0000
Message-ID: <AM9PR08MB6708BB3C2CB3D9ABECF4F266CCE29@AM9PR08MB6708.eurprd08.prod.outlook.com>
In-Reply-To: <fe1fabf2-618e-8318-028f-3f08fe1a3930@mit.edu>
Content-Language: de-DE
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Greg,
thanks for your quick help!
> auth_to_local is always looked up in the default realm, not in the realm of
> the principal being authorized. This is why the rule has to do the annoying
> dance of explicitly including the realm in the [] part, matching it in the () part,
> and removing it in the s// part. Fixing this historical botch isn't trivial since the
> obvious fixes would be likely to break existing deployments. (The same
> problem applies to auth_to_local_names, which is even worse since there's
> no workaround aside from not doing any cross-realm.)
Moving the auth_to_local directive into the default realm solved the issue - thank you so much! :-)
Best,
Tobias
--
Mit freundlichen Grüßen aus Dortmund,
Tobias Kritten (EXT), Head of Internal IT
________________________________
dogado GmbH
Antonio-Segni-Straße 11
44263 Dortmund
Hotline: +49 (231) 28 66 200
Fax: +49 (231) 28 66 20 20
Website: http://www.dogado.de
Profil auf XING: http://www.xing.com/companies/dogado
The Cloud Sourcing Blog: http://www.dogado.de/blog
Twitter: https://twitter.com/dogado
Facebook: https://www.facebook.com/dogado
Technischer Support: support@dogado.de<mailto:support@dogado.de>
Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens
________________________________
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
