[36364] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Aug 12 21:20:58 2014
From: Russ Allbery <eagle@eyrie.org>
To: Jaap Winius <jwinius@umrk.nl>
In-Reply-To: <lsee3d$a3m$2@ger.gmane.org> (Jaap Winius's message of "Wed, 13
Aug 2014 01:13:17 +0000 (UTC)")
Date: Tue, 12 Aug 2014 18:20:47 -0700
Message-ID: <8738d1gp74.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jaap Winius <jwinius@umrk.nl> writes:
> On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
>> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
>> option is to leave it on and change, in the Kerberos configuration, how
>> local user mapping is done to, for example, treat MYREALM.COM as a
>> second local realm (if that's appropriate).
> That would be okay, but I tried that and it doesn't work. I get this in
> the error log:
> krb5_aname_to_localname() found no mapping for principal
> jwinius@MYREALM.COM
That sounds like you didn't get the right aname_to_localname configuration
in your krb5.conf file, since it can't find a mapping.
> So, not only is this second realm name not being stripped off as a
> result, both the 'jwinius' and 'jwinius@MYREALM.COM' entries in the
> 'require user' list are ignored. That may make sense from a security
> standpoint, as those two entries don't have to be the same person.
Yes, the default behavior of krb5_aname_to_localname is to only strip the
local realm. You need explicit configuration to tell it what the safe
transforms are.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
