auth_to_local method for local user matching

Ben H bhendin at gmail.com
Tue Aug 20 16:23:27 EDT 2013


I am trying to understand the method in which auth_to_local determines
"local names" for mapping purposes.  According to the docs:

"This tag allows you to set a general rule for mapping principal names to
local user names"

I have an application which is utilizing AD for kerberos logins (and ldap
data).

The application can be configured in two modes:

1) The application can be configured to prepend the NT (short) domain name
(e.g. DOMAIN\), logins will require only the format `username`

- a `whoami`/`id -un` will result in `username`
- `getent passwd user` will result in a hit in the same format (as expected)
- `getent passwd DOMAIN\\username` will *also* result in a hit (same format
as `getent passwd username`)
- nss calls (e.g. 'ls -l') will return just `username`

*In other words:
- when we prepend the domain name, we are able to resolve the user through
either the username or the fully qualified name.  But the system will
always return the username only
- although only `username` is required, `DOMAIN\username` can still be used
to resolve users

To get SSO working, my auth_to_local rule is the following:

auth_to_local = RULE:[1:$0\$1](^DOMAIN\.COM\\.*)s/^DOMAIN\.COM\\//

This converts the user at DOMAIN.COM UPN to
DOMAIN.COM\username then it replaces DOMAIN.COM with null to result simply
in:
`username`

The `username` format is then recognized by the remote system and all works
as expected.
Additionally, the `DOMAIN\username` format also works in this method.

In short - no problems here.  HOWEVER - the second mode:

2) The application is configured to require the full NT style syntax,
logins will require the format `DOMAIN\username`

- a `whoami`/`id -un` will result in `DOMAIN\username`
- `getent passwd DOMAIN\\username` will result in a hit in the same format
(FQDN)
- `getent passwd username` will not return data (as expected, since we have
no prepended domain)
- nss calls (e.g. 'ls -l') will return `DOMAIN\username`

The above auth_to_local rule is not working, I have found that in order to
properly map users when using method A, I create a rule like this:

auth_to_local = RULE:[1:$0\$1](^DOMAIN\.COM\\.*)s/^DOMAIN\.COM/DOMAIN/

This converts the username at DOMAIN.COM UPN to
DOMAIN.COM\username then it replaces DOMAIN.COM with DOMAIN to result in:
DOMAIN\username

The `DOMAIN\username` format is recognized by the remote system and all
works as expected.

I then attempted to use this new auth_to_local rule with mode #1
(prepending the DOMAIN\).  Since, in this mode, we can process both the
`DOMAIN\username` and `username` formats.
However, even though this auth_to_local rule will now output in
`DOMAIN\username`, and the system can resolve (id, getent) that syntax, the
rule does not work.

The question is  why must the auth_to_local rule be updated to return only
in the `user` format for this to work?  How and where is this local user
being determined?

Ideally I am trying to craft a rule that would work in all scenarios - I
see no reason why the rule from #2 would not support both configurations.
I am also trying to not rely on a .k5login file (which would make this
whole mapping unnecessary I believe)

Thank you for your time.


More information about the Kerberos mailing list