Is there a field in krb5.conf where you can do the reverse of
auth_to_local?
One that provides a mapping of local userID's to Kerberos principals before
authentication?


Reason I ask is:

Primarily I have seen that technologies like Kerberos are used in an
environment where the images, in this case multiple Linux images, are
considered as commodity compute resources and it did not matter what
machine you authenticated with.  I could log in to any one of the images as
'jin' and I would have the same authority.  

However, in our environment one person having access to a web server
shouldn't have the same access to another machine in the same Realm. The
reason I want to attach the hostname as the Kerberos instance is that I'd
like to specify in Kerberos which machines this user has access to.

This way of defining user name space could be used to segregate root (or
any other system management ID) on the various images while allowing the
general population to access resources as needed.


Thanks, Jin