question on auth_to_user

Kyley Engle kyley_engle at hotmail.com
Thu May 20 15:26:22 EDT 2010


I'm trying to set up rules using the auth_to_user option inside of a realm definition in my krb5.conf file. I've not had any luck find good, and accurate, documentation on that option. Basically, I need my host principals to authenticate without having them in the local password file.

What the principal ends up looking like to my apache server is class;fqdn, which fails authentication.
What I am trying to do is:

host/fqdn at REALM.COM should get translated to just fqdn, which can then authenticate just fine.
class/fqdn at REALM.COM should get translated to class/fqdn. basically, just dropping the realm portion

using this, I can munge the host principal the way I want.
[realms]
REALM.COM = {
   kdc-1 
   kdc-2
   auth_to_local = RULE:[2:$1;$2](^host;.*$)s/^host;//
   auth_to_local = DEFAULT
 }

however, if I try something like:
auth_to_local = RULE:[2:$1/$2](^.*;.*$)

it doesn't work. the / is the usual reserved character, and there does not seem to be a way to escape it. any suggestions? or am I approaching this in the wrong way?

-kyley


More information about the Kerberos mailing list