[36371] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Jaap Winius)
Wed Aug 13 21:59:56 2014
To: kerberos@mit.edu
From: Jaap Winius <jwinius@umrk.nl>
Date: Thu, 14 Aug 2014 01:59:29 +0000 (UTC)
Message-ID: <lsh560$hd6$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 13 Aug 2014 18:12:20 -0700, Russ Allbery wrote:
> Hm, I don't think that's the case with MIT Kerberos, ...
Well, I tried it out anyway, but it didn't work. In Apache I set
KrbAuthRealms to include both realms and left KrbLocalUserMapping set to
'On', while in krb5.conf I had:
[realms]
EXAMPLE.COM = {
admin_server = server1.example.com
}
MYREALM.COM = {
admin_server = server1.myrealm.com
auth_to_local = DEFAULT
}
* Note: the KDC's are located via DNS.
In this case, the browser for my cross-realm account got an "Internal
Server Error" message when visiting the site, while the Apache error log
said:
krb5_aname_to_localname() found no mapping for principal
jwinius@MYREALM.COM
So, it doesn't look like the auth_to_local setting was influencing the
matter at all.
On the other hand, when I applied 'auth_to_local = DEFAULT' to EXAMPLE.COM
instead of MYREALM.COM, set KrbLocalUserMapping to 'Off', made sure
jwinius@EXAMPLE.COM was not included in the 'require user' list, and used
a browser on an EXAMPLE.COM client to access the site, the response was
'Authorization Required' with this in the Apache error log:
user 'jwinius@EXAMPLE.COM' does not meet 'require'ments for user/valid-
user to be allowed access
So, either my 'auth_to_local = DEFAULT' setting isn't working at all, or
Apache just isn't picking up on the result.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
