[36362] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Aug 12 20:28:17 2014
From: Russ Allbery <eagle@eyrie.org>
To: Jaap Winius <jwinius@umrk.nl>
In-Reply-To: <lseb37$a3m$1@ger.gmane.org> (Jaap Winius's message of "Wed, 13
Aug 2014 00:21:59 +0000 (UTC)")
Date: Tue, 12 Aug 2014 17:28:06 -0700
Message-ID: <87fvh1grmx.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jaap Winius <jwinius@umrk.nl> writes:
> First, I started out with this configuration for
> libapache2-mod-auth-kerb (v5.4-2 on Debian wheezy):
> AuthType Kerberos
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName Any
> Krb5Keytab /etc/apache2/krb5-apache.keytab
> KrbLocalUserMapping On
> AuthName "Example login"
> This works fine for local users, but excludes MYREALM.COM users,
> although the system is configured to support this additional realm.
> I fixed it by setting KrbLocalUserMapping to 'off', but now all the
> authorized login names in the 'require user' list must also include a
> realm, e.g. jwinius@MYREALM.COM, but also johnd@EXAMPLE.COM. That may
> not sound so bad, but it also means that those visiting the site without
> a Kerberos ticket must now enter their login name (for SPNEGO) that way
> as well, which is not exactly what I was hoping for.
I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
option is to leave it on and change, in the Kerberos configuration, how
local user mapping is done to, for example, treat MYREALM.COM as a second
local realm (if that's appropriate).
However, I'm not sure if that works with password prompts, since the
system still needs to know which principal to use for authentication when
authenticating with a password.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
