Documentation of auth_to_local
Brian Candler
B.Candler at pobox.com
Thu Sep 30 07:16:52 EDT 2010
I have been trying out Kerberos under CentOS 5.5, which claims to include
MIT kerberos version 1.6.1:
# rpm -qi krb5-server
Name : krb5-server Relocations: (not relocatable)
Version : 1.6.1 Vendor: CentOS
...
URL : http://web.mit.edu/kerberos/www/
Now, in the administrator's guide on the web at
http://web.mit.edu/Kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#realms%20(krb5.conf)
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#realms-_0028krb5_002econf_0029
http://web.mit.edu/Kerberos/krb5-1.7/krb5-1.7.1/doc/krb5-admin.html#realms%20(krb5.conf)
it gives the following example usage of auth_to_local:
[realms]
ATHENA.MIT.EDU = {
auth_to_local = {
RULE:[2:$1](johndoe)s/^.*$/guest/
RULE:[2:$1;$2](^.*;admin$)s/;admin$//
RULE:[2:$2](^.*;root)s/^.*$/root/
DEFAULT
}
}
However, this doesn't work for me. Even just
[realms]
BAR.EXAMPLE.COM = {
...
auth_to_local = {
DEFAULT
}
}
was rejected. sshd logs showed:
debug1: userauth-request for user candlerb service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 1
debug1: An invalid name was supplied
Improper format of Kerberos configuration file
However, the following seems to work just fine:
[realms]
BAR.EXAMPLE.COM = {
kdc = kdc.bar.example.com:88
admin_server = kdc.bar.example.com:749
default_domain = bar.example.com
auth_to_local = RULE:[1:$1@$0](^.*@FOO\.EXAMPLE\.COM$)s/@FOO.EXAMPLE.COM$//
auth_to_local = DEFAULT
}
Based on that, I think the documentation should show:
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auth_to_local = DEFAULT
}
But is it that the version of Kerberos bundled with RedHat/CentOS is
different from the mainline MIT code?
Regards,
Brian Candler.
P.S. The hint to try a different format of auth_to_local came from
http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
More information about the Kerberos
mailing list