[36363] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Jaap Winius)
Tue Aug 12 21:13:45 2014
To: kerberos@mit.edu
From: Jaap Winius <jwinius@umrk.nl>
Date: Wed, 13 Aug 2014 01:13:17 +0000 (UTC)
Message-ID: <lsee3d$a3m$2@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
> option is to leave it on and change, in the Kerberos configuration, how
> local user mapping is done to, for example, treat MYREALM.COM as a
> second local realm (if that's appropriate).
That would be okay, but I tried that and it doesn't work. I get this in
the error log:
krb5_aname_to_localname() found no mapping for principal
jwinius@MYREALM.COM
So, not only is this second realm name not being stripped off as a
result, both the 'jwinius' and 'jwinius@MYREALM.COM' entries in the
'require user' list are ignored. That may make sense from a security
standpoint, as those two entries don't have to be the same person.
Cheers,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
