[36813] in Kerberos

home help back first fref pref prev next nref lref last post

RE: cross realm trusts

daemon@ATHENA.MIT.EDU (Paul B. Henson)
Thu Feb 26 22:38:10 2015

From: "Paul B. Henson" <henson@acm.org>
To: <kerberos@mit.edu>
In-Reply-To: <0ce201d04197$4d9c9940$e8d5cbc0$@acm.org>
Date: Thu, 26 Feb 2015 19:37:45 -0800
Message-ID: <1bd501d0523e$c26037c0$4720a740$@acm.org>
MIME-Version: 1.0
Content-Language: en-us
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

> From: Paul Henson
> Sent: Thursday, February 05, 2015 2:59 PM
> 
> Both realms will have exactly the same set of users. Are these the only
two
> steps needed to allow a principal user@CSUPOMONA.EDU to directly access
> services in the CPP.EDU realm transparently? Or is there something else I
> need to do to allow transparency during the migration?

It turns out there is a third step required - mapping the foreign principal
to a local name. That wasn't very straightforward, I came across some
documentation and examples referencing auth_to_local_realm which seemed like
exactly what I needed. Unfortunately, that is evidently a Solaris specific
extension and doesn't work anywhere else. After some more digging, I found
an example showing that adding the following two entries to the realm
configuration did what I needed:

auth_to_local = RULE:[1:$1]
auth_to_local = DEFAULT

With these entries in place for both realms, any principal from the opposite
realm that tries to access a service is mapped to the same local user as a
local principal. This is roughly approximate to auth_to_local_realm, other
than that it applies to every foreign realm, not just specific ones. But as
I only have one trust relationship, that doesn't really matter. There were
some additional complications available in terms of regexps for these rules
that might have allowed one to restrict it to a specific foreign realm, but
I didn't bother to follow up on that as this will do what I need for the
transition/migration.

Thanks.


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post