Kerberos cross-realm with AD

Simo Sorce ssorce at redhat.com
Mon Feb 7 13:48:43 EST 2011


On Mon, 7 Feb 2011 18:12:37 +0000
Brian Candler <B.Candler at pobox.com> wrote:

> Solution 2: you can map all users at MEL.DOMAIN.COM to users at M.DOMAIN.COM
> 
> In krb5.conf (on the FreeBSD server) this would be something like:
> 
> [realms]
>  M.DOMAIN.COM = {
>   auth_to_local =
> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$//
> auth_to_local = DEFAULT }
> 
> WARNING: not tested. You need to triple-check that's right, as it
> could open you up to various holes if not correct.  The syntax is
> interesting, to say the least.  Also, you need to make sure that
> foo at M.DOMAIN.COM and foo at MEL.DOMAIN.COM are never two different
> people.  But it's a one-off config change on each host.

If you want separate users you can also create users with a
prefix/suffix as part of the user name for the "foreign" users:

user-MEL or MEL.DOMAIN.COM-username

They may not look pretty but would get the job done w/o risk of having
collisions as long as the main domain username assignment follows
minimal rules.

First form:
RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$/-MEL/

Second form:
RULE:[1:$1@$0](^.*@.*$)s/(^.*)@(.*$)/\2-\1/

I haven't tested this last one, so I am not sure the syntax is correct,
but it should be possible to get to a working syntax.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list