libapache2-mod-auth-kerb and cross-realm
Jaap Winius
jwinius at umrk.nl
Wed Aug 13 21:59:29 EDT 2014
On Wed, 13 Aug 2014 18:12:20 -0700, Russ Allbery wrote:
> Hm, I don't think that's the case with MIT Kerberos, ...
Well, I tried it out anyway, but it didn't work. In Apache I set
KrbAuthRealms to include both realms and left KrbLocalUserMapping set to
'On', while in krb5.conf I had:
[realms]
EXAMPLE.COM = {
admin_server = server1.example.com
}
MYREALM.COM = {
admin_server = server1.myrealm.com
auth_to_local = DEFAULT
}
* Note: the KDC's are located via DNS.
In this case, the browser for my cross-realm account got an "Internal
Server Error" message when visiting the site, while the Apache error log
said:
krb5_aname_to_localname() found no mapping for principal
jwinius at MYREALM.COM
So, it doesn't look like the auth_to_local setting was influencing the
matter at all.
On the other hand, when I applied 'auth_to_local = DEFAULT' to EXAMPLE.COM
instead of MYREALM.COM, set KrbLocalUserMapping to 'Off', made sure
jwinius at EXAMPLE.COM was not included in the 'require user' list, and used
a browser on an EXAMPLE.COM client to access the site, the response was
'Authorization Required' with this in the Apache error log:
user 'jwinius at EXAMPLE.COM' does not meet 'require'ments for user/valid-
user to be allowed access
So, either my 'auth_to_local = DEFAULT' setting isn't working at all, or
Apache just isn't picking up on the result.
More information about the Kerberos
mailing list