libapache2-mod-auth-kerb and cross-realm
Russ Allbery
eagle at eyrie.org
Tue Aug 12 20:28:06 EDT 2014
Jaap Winius <jwinius at umrk.nl> writes:
> First, I started out with this configuration for
> libapache2-mod-auth-kerb (v5.4-2 on Debian wheezy):
> AuthType Kerberos
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName Any
> Krb5Keytab /etc/apache2/krb5-apache.keytab
> KrbLocalUserMapping On
> AuthName "Example login"
> This works fine for local users, but excludes MYREALM.COM users,
> although the system is configured to support this additional realm.
> I fixed it by setting KrbLocalUserMapping to 'off', but now all the
> authorized login names in the 'require user' list must also include a
> realm, e.g. jwinius at MYREALM.COM, but also johnd at EXAMPLE.COM. That may
> not sound so bad, but it also means that those visiting the site without
> a Kerberos ticket must now enter their login name (for SPNEGO) that way
> as well, which is not exactly what I was hoping for.
I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
option is to leave it on and change, in the Kerberos configuration, how
local user mapping is done to, for example, treat MYREALM.COM as a second
local realm (if that's appropriate).
However, I'm not sure if that works with password prompts, since the
system still needs to know which principal to use for authentication when
authenticating with a password.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list