libapache2-mod-auth-kerb and cross-realm
Russ Allbery
eagle at eyrie.org
Tue Aug 12 21:20:47 EDT 2014
Jaap Winius <jwinius at umrk.nl> writes:
> On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
>> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
>> option is to leave it on and change, in the Kerberos configuration, how
>> local user mapping is done to, for example, treat MYREALM.COM as a
>> second local realm (if that's appropriate).
> That would be okay, but I tried that and it doesn't work. I get this in
> the error log:
> krb5_aname_to_localname() found no mapping for principal
> jwinius at MYREALM.COM
That sounds like you didn't get the right aname_to_localname configuration
in your krb5.conf file, since it can't find a mapping.
> So, not only is this second realm name not being stripped off as a
> result, both the 'jwinius' and 'jwinius at MYREALM.COM' entries in the
> 'require user' list are ignored. That may make sense from a security
> standpoint, as those two entries don't have to be the same person.
Yes, the default behavior of krb5_aname_to_localname is to only strip the
local realm. You need explicit configuration to tell it what the safe
transforms are.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list