krb5.conf auth_to_local rules Nicolas.Williams at
Mon Jul 15 09:21:01 EDT 2002

RULEs are:

[<ncomps>:<string with $n interpolated for given comp>](regexp)s/pattern/rewrite/[g]


		auth_to_local = {

These two rules map admin princs to the username in the first component and root princs to root.

I forget, but I think that the regexp in () is optional.

Caveats: the regexp in () can be an extended regexp, but it cannot contain parentethis, not even quoted. Similarly, the s//[g] rewrite rule cannot contain a forward slash, not even if quoted (this is the reason that I used a semi-colon in the first rule above).



> -----Original Message-----
> From: Jen Selby [mailto:jenselby at]
> Sent: Sunday, July 14, 2002 7:44 PM
> To: krbdev at
> Subject: krb5.conf auth_to_local rules
> I am attempting to document the tag auth_to_local in the realms
> section of krb5.conf.
> The DB:<filename> and DEFAULT values for this tag are fairly
> self-explanatory, but I'd like to provide more of an explanation for
> the RULE:<exp> value.
> As far as I can tell from the code, the syntax for exp is
> [n:$d..](s/regexp/substitute/g), where n is the number of components
> that the target principal[s] will have, and each $d specifies the
> individual components, so that you can choose the order that they will
> be in in the string that will be processed by the substitution
> expression.  The trailing g in the is option and will make the
> substitution global for the string.
> So if I have
> [realms]
> 	MYREALM = {
> 		auth_to_local = {
> 			RULE:[2:$1](s/lucifer/lucifer/)
> 			RULE:[2:$2](s/admin/root/)
> 		}
> 	}
> Then lucifer/admin at MYREALM would be translated to the local user
> lucifer and any other principal with an admin instance will be
> translated to root.  Every principal with a null instance will be
> translated to their principal name (without the realm), and everyone
> else will produce an error.
> Has anyone who has actually used this tell me if my interpretation is
> correct (and maybe also send me examples of your krb5.conf)?
> Thanks.
> Jen
> _______________________________________________
> krbdev mailing list             krbdev at

Visit our website at

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the krbdev mailing list