AW: gss_localname() with multiple KDC/User Directories + Apache + mod_auth_gssapi

Tobias Kritten (EXT) tk at
Tue Jul 20 12:13:48 EDT 2021

Hi Greg,

thanks for your quick help!

> auth_to_local is always looked up in the default realm, not in the realm of
> the principal being authorized.  This is why the rule has to do the annoying
> dance of explicitly including the realm in the [] part, matching it in the () part,
> and removing it in the s// part.  Fixing this historical botch isn't trivial since the
> obvious fixes would be likely to break existing deployments.  (The same
> problem applies to auth_to_local_names, which is even worse since there's
> no workaround aside from not doing any cross-realm.)

Moving the auth_to_local directive into the default realm solved the issue - thank you so much! :-)


Mit freundlichen Grüßen aus Dortmund,
Tobias Kritten (EXT), Head of Internal IT
dogado GmbH
Antonio-Segni-Straße 11
44263 Dortmund

Hotline:        +49 (231) 28 66 200
Fax:    +49 (231) 28 66 20 20
Profil auf XING:
The Cloud Sourcing Blog:
Technischer Support:    support at<mailto:support at>

Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens


More information about the Kerberos mailing list