Documentation of auth_to_local

Brian Candler B.Candler at pobox.com
Thu Sep 30 07:16:52 EDT 2010 

I have been trying out Kerberos under CentOS 5.5, which claims to include
MIT kerberos version 1.6.1:

# rpm -qi krb5-server
Name        : krb5-server                  Relocations: (not relocatable)
Version     : 1.6.1                             Vendor: CentOS
...
URL         : http://web.mit.edu/kerberos/www/

Now, in the administrator's guide on the web at
http://web.mit.edu/Kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#realms%20(krb5.conf)
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#realms-_0028krb5_002econf_0029
http://web.mit.edu/Kerberos/krb5-1.7/krb5-1.7.1/doc/krb5-admin.html#realms%20(krb5.conf)

it gives the following example usage of auth_to_local:

[realms]
    ATHENA.MIT.EDU = {
        auth_to_local = {
            RULE:[2:$1](johndoe)s/^.*$/guest/
            RULE:[2:$1;$2](^.*;admin$)s/;admin$//
            RULE:[2:$2](^.*;root)s/^.*$/root/
            DEFAULT
            }
        }

However, this doesn't work for me. Even just

[realms]
 BAR.EXAMPLE.COM = {
  ...
  auth_to_local = {
    DEFAULT
  }
}

was rejected. sshd logs showed:

  debug1: userauth-request for user candlerb service ssh-connection method gssapi-with-mic
  debug1: attempt 1 failures 1
  debug1: An invalid name was supplied
  Improper format of Kerberos configuration file

However, the following seems to work just fine:

[realms]
 BAR.EXAMPLE.COM = {
  kdc = kdc.bar.example.com:88
  admin_server = kdc.bar.example.com:749
  default_domain = bar.example.com
  auth_to_local = RULE:[1:$1@$0](^.*@FOO\.EXAMPLE\.COM$)s/@FOO.EXAMPLE.COM$//
  auth_to_local = DEFAULT
 }

Based on that, I think the documentation should show:

[realms]
    ATHENA.MIT.EDU = {
        auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
        auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
        auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
        auth_to_local = DEFAULT
        }

But is it that the version of Kerberos bundled with RedHat/CentOS is
different from the mainline MIT code?

Regards,

Brian Candler.

P.S. The hint to try a different format of auth_to_local came from
http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html

More information about the Kerberos mailing list