libapache2-mod-auth-kerb and cross-realm
Jaap Winius
jwinius at umrk.nl
Tue Aug 12 21:13:17 EDT 2014
On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
> option is to leave it on and change, in the Kerberos configuration, how
> local user mapping is done to, for example, treat MYREALM.COM as a
> second local realm (if that's appropriate).
That would be okay, but I tried that and it doesn't work. I get this in
the error log:
krb5_aname_to_localname() found no mapping for principal
jwinius at MYREALM.COM
So, not only is this second realm name not being stripped off as a
result, both the 'jwinius' and 'jwinius at MYREALM.COM' entries in the
'require user' list are ignored. That may make sense from a security
standpoint, as those two entries don't have to be the same person.
Cheers,
Jaap
More information about the Kerberos
mailing list