auth_to_local
Douglas E. Engert
deengert at anl.gov
Thu Aug 31 09:57:33 EDT 2006
Try something like what we used to use, see below.
This basicly says if it is in the other realm, drop the
@realm from the principal to get the local username.
Markus Moeller wrote:
> I am not sure if I understand the rules. I have two domains which trust each
> other and I'd like to avoid the use of a .k5login to allow a user of one
> domain to login into a system of the other. Can I do the following ?
>
> On a host server.a.com can I have a config file like:
>
> [libdefaults]
> default_realm = A.COM
>
> [realms]
> A.COM = {
> kdc = kdc.a.com
> admin_server = kdc.a.com
> auth_to_local = {
> RULE:[1:$1](.*@A.COM)s/@.*/-a/
RULE:[1:$1@$0](^.*@B.COM$)s/@B.COM//
> DEFAULT
> }
> }
> B.COM = {
> kdc = kdc.b.com
> admin_server = kdc.b.com
> auth_to_local = {
> RULE:[1:$1](.*@B.COM)s/@.*/-b/
RULE:[1:$1@$0](^.*@A.COM$)s/@A.COM//
> DEFAULT
> }
> }
> [domain_realm]
> .a.com = A.COM
> .b.com = B.COM
>
> which maps a user at A.COM to user-a and a user at B.COM to user-b ? I am also
> not sure if I login as user at B.COM on server.a.com will the realm section for
> A.COM be used or the section for B.COM ?
>
> Is there a way to debug/test the rules ?
>
> Thank you
> Markus
>
>
> "Russ Allbery" <rra at stanford.edu> wrote in message
> news:87veoc71xu.fsf at windlord.stanford.edu...
>
>>Markus Moeller <huaraz at moeller.plus.com> writes:
>>
>>
>>>Is there anywhere a documentation of how to use RULES with auth_to_local
>>>?
>>
>>Yeah, it's in the info documentation, in the krb5-admin doc under
>>Configuration Files / krb5.conf / realms.
>>
>>--
>>Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list