Kerberos cross-realm with AD
Tom Parker
tparker at cbnco.com
Mon Feb 7 14:11:08 EST 2011
We have a similar scenario with user collisions in a cross realm
environment. We are using fully qualified Principal names as usernames
on all our servers (stored in ldap and accessed with nss_ldap)
<user at REALM> is the user that is logged in. Not just <user>
Our auth-to-local rules are:
auth_to_local = RULE:[1:$1@$0]
auth_to_local = RULE:[2:$1@$0]
This is annoying to anyone who has to type their password but with
GSSAPI and a good .ssh/config file our complaints have gone away
Tom
On 02/07/2011 01:48 PM, Simo Sorce wrote:
> On Mon, 7 Feb 2011 18:12:37 +0000
> Brian Candler<B.Candler at pobox.com> wrote:
>
>> Solution 2: you can map all users at MEL.DOMAIN.COM to users at M.DOMAIN.COM
>>
>> In krb5.conf (on the FreeBSD server) this would be something like:
>>
>> [realms]
>> M.DOMAIN.COM = {
>> auth_to_local =
>> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$//
>> auth_to_local = DEFAULT }
>>
>> WARNING: not tested. You need to triple-check that's right, as it
>> could open you up to various holes if not correct. The syntax is
>> interesting, to say the least. Also, you need to make sure that
>> foo at M.DOMAIN.COM and foo at MEL.DOMAIN.COM are never two different
>> people. But it's a one-off config change on each host.
> If you want separate users you can also create users with a
> prefix/suffix as part of the user name for the "foreign" users:
>
> user-MEL or MEL.DOMAIN.COM-username
>
> They may not look pretty but would get the job done w/o risk of having
> collisions as long as the main domain username assignment follows
> minimal rules.
>
> First form:
> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$/-MEL/
>
> Second form:
> RULE:[1:$1@$0](^.*@.*$)s/(^.*)@(.*$)/\2-\1/
>
> I haven't tested this last one, so I am not sure the syntax is correct,
> but it should be possible to get to a working syntax.
>
> Simo.
>
More information about the Kerberos
mailing list