libapache2-mod-auth-kerb and cross-realm
Greg Hudson
ghudson at MIT.EDU
Wed Aug 13 23:07:03 EDT 2014
On 08/13/2014 09:59 PM, Jaap Winius wrote:
> [...] while in krb5.conf I had:
It turns out that the only auth_to_local relations used from krb5.conf
are the ones in the realm subsection for the default realm. It would
make more sense if it were located in [libdefaults], but this is the
historical behavior.
So you need something like:
[realms]
EXAMPLE.COM = {
auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
auth_to_local = DEFAULT
}
The rule is more complicated than it seems like it should have to be,
also for historical reasons. The rule expression decomposes as follows:
* [1:$1@$0] matches only one-component principals, and creates a
selection string containing the first component and the realm. (Without
the explicit selection string, the realm name is stripped out regardless
of what it is.)
* (.*MYREALM.COM) is a regexp matching the selection string. The regexp
is implicitly anchored at both ends, so it must match the whole string.
* s/@MYREALM.COM$// strips off the matched realm name.
More information about the Kerberos
mailing list