auth_to_local method for local user matching

Greg Hudson ghudson at MIT.EDU
Wed Aug 21 11:31:27 EDT 2013


On 08/20/2013 04:23 PM, Ben H wrote:
> The question is  why must the auth_to_local rule be updated to return only
> in the `user` format for this to work?  How and where is this local user
> being determined?

The application is calling krb5_kuserok() with a principal name and a
local name.  It sounds like in mode #1, the application is passing just
the username as the local name, while in mode #2, the application is
passing DOMAIN\username.

If that is true, I don't think you can get both modes to work using
auth_to_local rules.  authname-to-localname mapping yields only one
local name for a principal name.

> Ideally I am trying to craft a rule that would work in all scenarios - I
> see no reason why the rule from #2 would not support both configurations.
> I am also trying to not rely on a .k5login file (which would make this
> whole mapping unnecessary I believe)

You might be interested in the k5login_directory option; search for that
string in:


http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html

In the upcoming release 1.12, we are adding a pluggable interface for
kuserok:

  http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/localauth.html
  http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html

But that's in the future, and is more tailored for integrators than
system administrators (as it requires writing C code and building a
shared object).



More information about the Kerberos mailing list