auth_to_local struggle

miguel.sanders@arcelormittal.com miguel.sanders at arcelormittal.com
Mon May 11 15:14:46 EDT 2009 

Thanks a lot Mark!

Works fine! 


Met vriendelijke groet
Best regards
Bien à vous

Miguel SANDERS
ArcelorMittal Gent

UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders at arcelormittal.com
www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: Mark Pröhl [mailto:mark at mproehl.net] 
Verzonden: maandag 11 mei 2009 17:07
Aan: SANDERS Miguel
CC: kerberos at mit.edu
Onderwerp: Re: auth_to_local struggle

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this works for me:

  auth_to_local = RULE:[2:$1;$2@$0](root;.*@SOMEREALM)s/;.*@SOMEREALM//g

If

Mark Pröhl


miguel.sanders at arcelormittal.com wrote:
> Hi folks
> 
> I'm struggling with the auth_to_local rule.
> I want the principal root/samehost.some.domain at SOMEREALM to be mapped to the user root.
> I created the following auth_to_local rule in krb5.conf
> 	auth_to_local = RULE:[2:$2/$1@$0](\/.*@SOMEREALM)s/\/.*@.*//
> 
> I wrote a sample test program in order to verify the authorization part:
> #include <krb5.h>
> #include <stdio.h>
> 
> int main(int argc, const char **argv){
>         if (argc != 3) {
>                 fprintf(stderr,"Number of arguments incorrect\n");
>                 fprintf(stderr,"1) Kerberos Principal 2) Mapped Local User\n");
>                 exit(1);
>         }
>         krb5_context context;
>         krb5_principal client;
>         krb5_boolean logon;
> 
>         krb5_init_context(&context);
>         krb5_parse_name(context,argv[1],&client);
> 
>         logon = krb5_kuserok(context, client, (char *)argv[2]);
>         if (logon)
>                 fprintf(stdout,"Principal %s is authorized to login as user %s\n",(char *)argv[1],(char *)argv[2]);
>         else
>                 fprintf(stderr,"Principal %s is NOT authorized to 
> login as user %s\n",(char *)argv[1],(char *)argv[2]);
> 
>         krb5_free_principal(context, client);
>         krb5_free_context(context);
> }
> 
> Unfortunately, my test program always says the following:
> 
> ./krb5 root/samehost.some.domain at SOMEREALM root Principal 
> root/samehost.some.domain at SOMEREALM is NOT authorized to login as user 
> root
> 
> What's wrong with my rule? The tranformation rule is correct AFAIK.
> 
> Thanks for your help!
> 
> Met vriendelijke groet
> Best regards
> Bien à vous
> 
> Miguel SANDERS
> ArcelorMittal Gent
> 
> UNIX Systems & Storage
> IT Supply Western Europe | John Kennedylaan 51
> B-9042 Gent
> 
> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E 
> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent
> 
> 
> ****
> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
> ****
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoIPwEACgkQNP9kGj7lDw5MvACg4pKNBOmpgzttTVrg7rATIVoJ
3x8AoPdRG3m2Ccj+aIK/jy/S4Qpf+CIm
=8QJf
-----END PGP SIGNATURE-----

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****

More information about the Kerberos mailing list