mod_auth_kerb realm not stripped

ewae rpok ewaerpok at mail.com
Thu Jan 25 08:06:12 EST 2018


Hello all.

I am unsure how to get krb5_aname_to_localname to function appropriately with the KrbLocalUserMapping directive of apache's mod_auth_kerb.

It does do some transformation, converting to lowercase.  However the realm part is not stripped off. 
 Example output from apache error_log:

[Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid 2176] src/mod_auth_kerb.c(1855): [client 192.168.254.170:65016] kerb_authenticate_a_name_to_local_name Test123 at X.Y.Z -> test123 at x.y.z

(All other examples I found on this list and elsewhere have output of format: ... Test123 at X.Y.Z -> Test123 )

I have tried experimenting with auth_to_local tags in the [realms] sections of /etc/krb5.conf, but could see no evidence of the rules being invoked.  i.e. Same output in the apache error log regardless.

This then appears to get passed on for use in subsequent ldap authorisations (apache mod_authnz_ldap).  This does not work for us as we need to authorise against stripped user names (Active Directory sAMAccount or similar; our userPrincipalName is a different format: Test123 at Q.Y.Z, so can't workaround using that).

Grateful for any advice,
Ewae.


More information about the Kerberos mailing list