[36372] in Kerberos
Re: libapache2-mod-auth-kerb and cross-realm
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Aug 13 23:07:19 2014
Message-ID: <53EC27D7.3080101@mit.edu>
Date: Wed, 13 Aug 2014 23:07:03 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Jaap Winius <jwinius@umrk.nl>, kerberos@mit.edu
In-Reply-To: <lsh560$hd6$1@ger.gmane.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 08/13/2014 09:59 PM, Jaap Winius wrote:
> [...] while in krb5.conf I had:
It turns out that the only auth_to_local relations used from krb5.conf
are the ones in the realm subsection for the default realm. It would
make more sense if it were located in [libdefaults], but this is the
historical behavior.
So you need something like:
[realms]
EXAMPLE.COM = {
auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
auth_to_local = DEFAULT
}
The rule is more complicated than it seems like it should have to be,
also for historical reasons. The rule expression decomposes as follows:
* [1:$1@$0] matches only one-component principals, and creates a
selection string containing the first component and the realm. (Without
the explicit selection string, the realm name is stripped out regardless
of what it is.)
* (.*MYREALM.COM) is a regexp matching the selection string. The regexp
is implicitly anchored at both ends, so it must match the whole string.
* s/@MYREALM.COM$// strips off the matched realm name.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
