libapache2-mod-auth-kerb and cross-realm

Simo Sorce simo at redhat.com
Thu Aug 14 09:56:35 EDT 2014


On Thu, 2014-08-14 at 13:29 +0000, Jaap Winius wrote:
> On Wed, 13 Aug 2014 23:07:03 -0400, Greg Hudson wrote:
> 
> > So you need something like:
> > 
> > [realms]
> >   EXAMPLE.COM = {
> >     auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
> >     auth_to_local = DEFAULT
> >   }
> 
> Amazing, it works! Greg, you're a genius... or just happen to know these 
> things. I would never have come up with this on my own. Although I did 
> encounter an example of someone using $0, they were doing something else 
> with it and perhaps I didn't understand enough of what was going on.
> 
> Some other notes. Regarding the Apache configuration, for this to work I 
> don't have to include MYREALM.COM in the KrbAuthRealms list -- just the 
> default realm. No realm name parts in the 'require user' list either.
> 
> Lastly, I was initially afraid that this would affect Kerberos 
> authentication for other services, such as SSH, but apparently not, so 
> I'm thus far very pleased with this configuration.
> 
> Thanks, Greg, and Russ!

Keep in mind that this will make foo at MYREALM.COM and foo at EXAMPLE.COM
effectively the same user for all applications (including Apache and
SSH).

If you do not want that what you can do is to change the first line to
something like:
auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/myrealm-\1/
or:
auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/@myrealm.com/

(hopefully got the replaces right :-)

This would result in:
foo at EXAMPLE.COM -> foo
foo at MYREALM.COM -> myrealm-foo [or foo at myrealm.com]

So you can distinguish between the 2 users.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list