[36361] in Kerberos
libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Jaap Winius)
Tue Aug 12 20:22:30 2014
To: kerberos@mit.edu
From: Jaap Winius <jwinius@umrk.nl>
Date: Wed, 13 Aug 2014 00:21:59 +0000 (UTC)
Message-ID: <lseb37$a3m$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi folks,
As I make progress with my Kerberos configuration for Apache, cross-realm
support leaves something to be desired.
First, I started out with this configuration for libapache2-mod-auth-kerb
(v5.4-2 on Debian wheezy):
AuthType Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName Any
Krb5Keytab /etc/apache2/krb5-apache.keytab
KrbLocalUserMapping On
AuthName "Example login"
This works fine for local users, but excludes MYREALM.COM users, although
the system is configured to support this additional realm.
I fixed it by setting KrbLocalUserMapping to 'off', but now all the
authorized login names in the 'require user' list must also include a
realm, e.g. jwinius@MYREALM.COM, but also johnd@EXAMPLE.COM. That may not
sound so bad, but it also means that those visiting the site without a
Kerberos ticket must now enter their login name (for SPNEGO) that way as
well, which is not exactly what I was hoping for.
Is this the only way to enable cross-realm support for mod-auth-kerb, or
is there a more elegant solution?
Thanks,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
