Cross-realm trust
Sam Hartman
hartmans at MIT.EDU
Fri Feb 15 13:24:46 EST 2002
>>>>> "Philippe" == Philippe Perrin <philippeperrin at yahoo.com> writes:
Philippe> Hello
Philippe> I'm now willing to allow users authenticated in REALM1 to use services of
Philippe> REALM2. I configured everything as I think I should have, and then I made a
Philippe> user authenticate in REALM1, and used a telnet server in REALM2. The only
Philippe> way I found to make it work was to add a ~/.k5login file containing
Philippe> "user at REALM1" on the server.
Philippe> How could I avoid writing such files for every user ? Can I make this server
That's how it should work. Cross realm keys only enable
authentication between the two realms; they say nothing about
authorization.
There's a function called krb5_aname_to_lname that maps principals
into local user names. You might be able to configure this function
to do what you need. Unfortunately, I forget how this function is
configured. I'm not sure if there is any better documentation than
the source; look at src/lib/krb5/os/an_to_ln.c.
More information about the Kerberos
mailing list