Kerberos cross-realm with AD

Tom Parker tparker at cbnco.com
Mon Feb 7 14:11:08 EST 2011


We have a similar scenario with user collisions in a cross realm 
environment.  We are using fully qualified Principal names as usernames 
on all our servers (stored in ldap and accessed with nss_ldap)

<user at REALM> is the user that is logged in.  Not just <user>

Our auth-to-local rules are:

                 auth_to_local = RULE:[1:$1@$0]
                 auth_to_local = RULE:[2:$1@$0]

This is annoying to anyone who has to type their password but with 
GSSAPI and a good .ssh/config file our complaints have gone away

Tom


On 02/07/2011 01:48 PM, Simo Sorce wrote:
> On Mon, 7 Feb 2011 18:12:37 +0000
> Brian Candler<B.Candler at pobox.com>  wrote:
>
>> Solution 2: you can map all users at MEL.DOMAIN.COM to users at M.DOMAIN.COM
>>
>> In krb5.conf (on the FreeBSD server) this would be something like:
>>
>> [realms]
>>   M.DOMAIN.COM = {
>>    auth_to_local =
>> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$//
>> auth_to_local = DEFAULT }
>>
>> WARNING: not tested. You need to triple-check that's right, as it
>> could open you up to various holes if not correct.  The syntax is
>> interesting, to say the least.  Also, you need to make sure that
>> foo at M.DOMAIN.COM and foo at MEL.DOMAIN.COM are never two different
>> people.  But it's a one-off config change on each host.
> If you want separate users you can also create users with a
> prefix/suffix as part of the user name for the "foreign" users:
>
> user-MEL or MEL.DOMAIN.COM-username
>
> They may not look pretty but would get the job done w/o risk of having
> collisions as long as the main domain username assignment follows
> minimal rules.
>
> First form:
> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$/-MEL/
>
> Second form:
> RULE:[1:$1@$0](^.*@.*$)s/(^.*)@(.*$)/\2-\1/
>
> I haven't tested this last one, so I am not sure the syntax is correct,
> but it should be possible to get to a working syntax.
>
> Simo.
>



More information about the Kerberos mailing list