auth_to_localnames only using default realm?

Nebergall, Christopher cneberg at
Fri Nov 21 19:07:43 EST 2003

Why is it that no matter what realm the user is in only the
auth_to_localnames attribute in the default realm is used for the mapping?
That seems to be wrong, I would think that if this really is a realm
specific setting like the profile hierarchy suggests that I would want to
look up the mappings from the realm the person is coming from not the
default realm.  If it is meant not to be realm specific it should probably
be moved out of the realm specific settings area.  To make things more
confusing the realm information is dropped before the mapping.
user1 at anyrealm will be mapped using only user1 the realm they come from is
not used in the match.

Example in 1.3.1

If I see roger at or roger at they both get mapped into roger1
using the krb5.conf settings below.

default_realm = = {
          kdc = something
          auth_to_local_names = {
               roger = roger1
          } = {
          kdc = something

Notice from the code snippet below that the default realm is used for


  if (!(kret = krb5_get_default_realm(context, &realm))) {
        /* Flatten the name */
        if (!(kret = krb5_unparse_name(context, aname, &pname))) {
            if ((mname = aname_full_to_mapping_name(pname))) {
                 * Search first for explicit mappings of the form:
                 * [realms]->realm->"auth_to_local_names"->mapping_name
                hierarchy[0] = "realms";
>>>>>>>>                hierarchy[1] = realm;
                hierarchy[2] = "auth_to_local_names";
                hierarchy[3] = mname;
                hierarchy[4] = (char *) NULL;
                if (!(kret = profile_get_values(context->profile,
                                                &mapping_values))) {
                    /* We found one or more explicit mappings. */
                    for (nvalid=0; mapping_values[nvalid]; nvalid++);
                    /* Just use the last one. */
                    /* Trim the value. */

More information about the krbdev mailing list