[6991] in Kerberos
Question re: aname mapping
daemon@ATHENA.MIT.EDU (Jim Garlick)
Wed Apr 3 09:07:06 1996
To: kerberos@MIT.EDU
Date: 2 Apr 1996 17:29:41 GMT
From: garlick@ecst.csuchico.edu (Jim Garlick)
Hello,
I have a question about "aname" mapping between Kerberos principal names
and local usernames.
This is hypothetical at this point, but let's say my campus runs a Kerberos
realm called CSUCHICO.EDU which issues unique principal names to students
using one algorithm. Let's say I have an installed user base in Engineering
that uses another algorithm for picking usernames, but I want to take
advantage of the campus Kerberos service without changing all my usernames.
My campus can provide a mapping between student ID numbers and principal
names, and I can also provide a similar mapping between student ID numbers
and usernames on my systems. I can use this information to create an
aname mapping between principal names and usernames, e.g.
A123456@CSUCHICO.EDU garlick
A123457@CSUCHICO.EDU fred
Great. Once I have a TGT for A123456@CSUCHICO.EDU, I should be able to
use Kerberos-authenticated services as "garlick" all over Engineering,
and actually all over campus where my principal name may be mapped to other
usernames.
The problem is that my users have to remember two usernames now: the
principal name and their Engineering username. I would like them to be
able to just type "kinit" and have kinit look up their principal name using
their username, but since aname is not one-to-one, the reverse of
krb5_aname_to_localname() isn't possible.
Before I get into hacking kinit to look up the principal name in some other
database of my own creation, can somebody tell me if there is an easier
way to do this (without changes to the software)?
We don't have a real Kerberos service on campus yet, so major paradigm shifts
are possible at this point. Users will have multiple "usernames" in different
areas of campus though; this is hard to avoid for us. The big question right
now is whether we can create a "generic" Kerberos service on campus that
various departments can take advantage of.
An example of an ideal scenario would be if a student could kinit on a
campus lab workstation with one username and implicitly pick up a TGT for
their "generic" principal name, then be able to telnet to Engineering or
other areas where they have different usernames and never have to type their
password over the network in the clear, or have to know their generic
principal name.
Thanks!
Jim
