auth_to_local method for local user matching
Greg Hudson
ghudson at MIT.EDU
Wed Aug 21 11:31:27 EDT 2013
On 08/20/2013 04:23 PM, Ben H wrote:
> The question is why must the auth_to_local rule be updated to return only
> in the `user` format for this to work? How and where is this local user
> being determined?
The application is calling krb5_kuserok() with a principal name and a
local name. It sounds like in mode #1, the application is passing just
the username as the local name, while in mode #2, the application is
passing DOMAIN\username.
If that is true, I don't think you can get both modes to work using
auth_to_local rules. authname-to-localname mapping yields only one
local name for a principal name.
> Ideally I am trying to craft a rule that would work in all scenarios - I
> see no reason why the rule from #2 would not support both configurations.
> I am also trying to not rely on a .k5login file (which would make this
> whole mapping unnecessary I believe)
You might be interested in the k5login_directory option; search for that
string in:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
In the upcoming release 1.12, we are adding a pluggable interface for
kuserok:
http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/localauth.html
http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html
But that's in the future, and is more tailored for integrators than
system administrators (as it requires writing C code and building a
shared object).
More information about the Kerberos
mailing list