libapache2-mod-auth-kerb and cross-realm
Jaap Winius
jwinius at umrk.nl
Tue Aug 12 20:21:59 EDT 2014
Hi folks,
As I make progress with my Kerberos configuration for Apache, cross-realm
support leaves something to be desired.
First, I started out with this configuration for libapache2-mod-auth-kerb
(v5.4-2 on Debian wheezy):
AuthType Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName Any
Krb5Keytab /etc/apache2/krb5-apache.keytab
KrbLocalUserMapping On
AuthName "Example login"
This works fine for local users, but excludes MYREALM.COM users, although
the system is configured to support this additional realm.
I fixed it by setting KrbLocalUserMapping to 'off', but now all the
authorized login names in the 'require user' list must also include a
realm, e.g. jwinius at MYREALM.COM, but also johnd at EXAMPLE.COM. That may not
sound so bad, but it also means that those visiting the site without a
Kerberos ticket must now enter their login name (for SPNEGO) that way as
well, which is not exactly what I was hoping for.
Is this the only way to enable cross-realm support for mod-auth-kerb, or
is there a more elegant solution?
Thanks,
Jaap
More information about the Kerberos
mailing list