libapache2-mod-auth-kerb and cross-realm
Jaap Winius
jwinius at umrk.nl
Thu Aug 14 16:47:36 EDT 2014
On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote:
> Keep in mind that this will make foo at MYREALM.COM and foo at EXAMPLE.COM
> effectively the same user...
Yes, a nuance that did not escape me. In fact, I imagined that it was for
security reasons that auth_to_local could only be applied to members of
the default realm. This meant Greg's solution and explanation was all the
more surprising to me.
> .. for all applications (including Apache and SSH).
Like I said in my last post, I was worried about that too, but for SSH at
least it appears not to be a problem: I can use it to connect to the same
host, run klist and see that I still have a MYREALM.COM tgt. OpenAFS
doesn't care either. However, I haven't yet tested this with all of the
other services.
> If you do not want that what you can do is to change the first line to
> something like:
> auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/
myrealm-\1/
An excellent idea! However, your syntax here is a bit buggy. The
parentheses in the first half of the substitution string should not be
escaped, while the '\1' in the replacement doesn't work; it gets
translated literally, just as $1 is. (Why doesn't it work?)
> or:
> auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/
@myrealm.com/
This works in principle, but an entry shows up in the Apache error log if
the resulting string has more than 14 characters (even if a string to
match it exists in the 'require user' list):
krb5_aname_to_localname() failed: Insufficient space to return complete
information
So I've came up with this slight modification of your second method:
RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/-m/
This gives 'foo at MYREALM.COM => foo-m' and will work for users with login
names that have up to 12 characters.
Cheers,
Jaap
More information about the Kerberos
mailing list