Kerberos cross-realm with AD
Simo Sorce
ssorce at redhat.com
Mon Feb 7 13:48:43 EST 2011
On Mon, 7 Feb 2011 18:12:37 +0000
Brian Candler <B.Candler at pobox.com> wrote:
> Solution 2: you can map all users at MEL.DOMAIN.COM to users at M.DOMAIN.COM
>
> In krb5.conf (on the FreeBSD server) this would be something like:
>
> [realms]
> M.DOMAIN.COM = {
> auth_to_local =
> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$//
> auth_to_local = DEFAULT }
>
> WARNING: not tested. You need to triple-check that's right, as it
> could open you up to various holes if not correct. The syntax is
> interesting, to say the least. Also, you need to make sure that
> foo at M.DOMAIN.COM and foo at MEL.DOMAIN.COM are never two different
> people. But it's a one-off config change on each host.
If you want separate users you can also create users with a
prefix/suffix as part of the user name for the "foreign" users:
user-MEL or MEL.DOMAIN.COM-username
They may not look pretty but would get the job done w/o risk of having
collisions as long as the main domain username assignment follows
minimal rules.
First form:
RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$/-MEL/
Second form:
RULE:[1:$1@$0](^.*@.*$)s/(^.*)@(.*$)/\2-\1/
I haven't tested this last one, so I am not sure the syntax is correct,
but it should be possible to get to a working syntax.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list