[krbdev.mit.edu #6677] auth_to_local_names is useless
Peter Eriksson via RT
rt-comment at krbdev.mit.edu
Fri Mar 5 18:26:18 EST 2010
Problem:
I want to allow users to authenticate either using our local
username/password (our local Kerberos server) *or* the new
university-wide username/password (another Kerberos server). For example
I should be able to login using either:
peter86 at LIU.SE
or
peter at IFM.LIU.SE
and both should map to the local Unix user "peter". To allow this I
thought the krb5.conf "auth_to_local_names" would be the right way to
solve it, by simply include a list of principal <-> username mappings.
But alas, that doesn't seem to work....
Here's a sample krb5.conf file:
> [libdefaults]
> default_realm = IFM.LIU.SE
>
> [realms]
> IFM.LIU.SE = {
> kdc = as-slave-1.ifm.liu.se
> kdc = as-slave-2.ifm.liu.se
> kdc = as-master.ifm.liu.se
> admin_server = as-master.ifm.liu.se
> auth_to_local_realm = AD.IFM.LIU.SE
> auth_to_local_names = {
> peter86 at LIU.SE = peter
> }
> }
>
> AD.IFM.LIU.SE = {
> kdc = ad-master.ad.ifm.liu.se
> kdc = ad-slave.ad.ifm.liu.se
> admin_server = ad-master.ifm.liu.se
> kpasswd_protocol = SET_CHANGE
> }
>
> LYSATOR.LIU.SE = {
> kdc = as-master.lysator.liu.se
> kdc = as-slave.lysator.liu.se
> admin_server = as-master.lysator.liu.se
> }
>
> LIU.SE = {
> kdc = bulldog.unit.liu.se
> admin_server = bulldog.unit.liu.se
> }
This correctly maps "peter at IFM.LIU.SE" to "peter". And via the
"auth_to_local_realm" (a Solaris-specific extension I think) also
correctly maps "peter at AD.IFM.LIU.SE" to "peter".
But not "peter86 at LIU.SE"... It doesn't work since the code in
lib/krb5/os/an_to_ln.c:krb5_aname_to_localname() calls the function
aname_full_to_mapping_name() which drops the realm stuff from the
principal before looking up the mapping. If I change "peter86 at LIU.SE" to
just "peter86" things work better (ie the mapping takes place).
However... That will also map "peter86 at LYSATOR.LIU.SE" to "peter" which
is really wrong. Or "peter86 at HACKERS-R-US.RU" for that matter.
Making the thing completely useless...
I'm curious if there exists anyone anywhere that is using the
auth_to_local_name stuff as it currently stands...
Btw, when investigating this issue I found this old mail from 2003:
http://mailman.mit.edu/pipermail/krbdev/2003-November/002064.html
The same code seems to be in Kerberos 1.8 as it was then (and the same
seems to be in OpenSolaris)...
- Peter
More information about the krb5-bugs
mailing list