krb5_aname_to_localname() issue
Bjørn Tore Sund
bjorn.sund at it.uib.no
Sat Jun 6 06:53:57 EDT 2009
Guillaume Rousse wrote:
> Hello list.
>
> We use apache-mod_auth_kerb 5.4, with
> KrbLocalUserMapping directive, allowing to map foo at REALM user string to
> foo, through krb5_aname_to_localname() function.
>
> However, while it works perfectly with principal from the local domains,
> it doesn't with principal from other domains, for which a trust
> relationship is established:
> krb5_aname_to_localname() found no mapping for principal
> garet at LILLE.FUTURS.INRIA.FR
>
> According to krb5_aname_to_localname man page, this is quite normal:
> This function takes a principal name, verifies that it is in the local
> realm (using krb5_get_default_realms())
>
> The man page for krb5_get_default_realms() seems to imply there could be
> several default realms, but I didn't found any way to configure it in
> krb5.conf (default_realm only takes one).
>
> So, how can I also map principals from other trusted realms ?
Here is the setting I use in /etc/krb5.conf on machines in the
UNIX.UIB.NO realm to ensure that mapping works from all *.UIB.NO realms
(including UIB.NO):
[realms]
UNIX.UIB.NO = {
auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*//
}
Rather cryptic, I know, but it is well documented and using google it
should be fairly easy to find other examples of how to use it.
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
More information about the Kerberos
mailing list