[krbdev.mit.edu #8505] krb5.conf(5): documentation of auth_to_local unclear and ambiguous
Markus Kuhn via RT
rt-comment at krbdev.mit.edu
Fri Sep 30 13:18:10 EDT 2016
The krb5.conf(5) man page currently says:
[realms]
Each tag in the [realms] section of the file is the name of a Kerberos
realm. The value of the tag is a subsection with relations that define
the properties of that particular realm. For each realm, the following
tags may be specified in the realm's subsection:
[...]
auth_to_local
This tag allows you to set a general rule for mapping principal
names to local user names. It will be used if there is not an
explicit mapping for the principal name that is being transâ€
lated.
At no point does the manual page say, what meaning the tag in the [realms]
section has in the context of auth_to_local, i.e. how the realm tag affects
under which condition the specifiedauth_to_local rule is applied.
In other words, if I have in krb5.conf something like
[realms]
REALM1.COM = {
auth_to_local = ...
}
REALM2.COM = {
auth_to_local = ...
}
please explain more clearly under which condition the first or the second
auth_to_local tag is applied.
If a client user A at REALM1.COM connects to a server B at REALM2.COM, and I want to
use auth_to_local to translate A at REALM1.COM into a local user A, do I have to
place that auth_to_local tag in a subsection
REALM1.COM = { auth_to_local = ... }
or
REALM2.COM = { auth_to_local = ... }
Is the realm tag here the one of the client principal in the ticket, or
the one of the server principal in the ticket, or even just the
default_realm of the server?
It would be great if the krb5.conf man page answered that question
in a clear manner, in order to clarify the semantics of auth_to_local
in a cross-realm context.
One common use of auth_to_local is to allow users from other realms into
a server, as mentioned at
http://superuser.com/questions/808461/cross-realm-kerberos-authentication-with-ssh
Unfortunately, the current krb5.conf doesn't document the semantics
currently clearly enough to make it obvious how to do that.
In addition: since auth_to_local uses regular expressions, it would be
most helpful if the documentation stated which of the many regular expression
languages out there is used (POSIX BRE/ERE/SRE, PCRE, etc.), with a
reference to its full documentation.
Thanks,
Markus
--
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain
More information about the krb5-bugs
mailing list