[11444] in Kerberos-V5-bugs
[krbdev.mit.edu #6677] auth_to_local_names is useless
daemon@ATHENA.MIT.EDU (Peter Eriksson via RT)
Fri Mar 5 18:26:20 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Peter Eriksson via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6677@krbdev.mit.edu>
Message-ID: <rt-6677-32570.3.55689562917156@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6677'":;"'AdminCc of krbdev.mit.edu Ticket #6677'":;@MIT.EDU
Date: Fri, 5 Mar 2010 18:26:18 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Problem:
I want to allow users to authenticate either using our local
username/password (our local Kerberos server) *or* the new
university-wide username/password (another Kerberos server). For example
I should be able to login using either:
peter86@LIU.SE
or
peter@IFM.LIU.SE
and both should map to the local Unix user "peter". To allow this I
thought the krb5.conf "auth_to_local_names" would be the right way to
solve it, by simply include a list of principal <-> username mappings.
But alas, that doesn't seem to work....
Here's a sample krb5.conf file:
> [libdefaults]
> default_realm = IFM.LIU.SE
>
> [realms]
> IFM.LIU.SE = {
> kdc = as-slave-1.ifm.liu.se
> kdc = as-slave-2.ifm.liu.se
> kdc = as-master.ifm.liu.se
> admin_server = as-master.ifm.liu.se
> auth_to_local_realm = AD.IFM.LIU.SE
> auth_to_local_names = {
> peter86@LIU.SE = peter
> }
> }
>
> AD.IFM.LIU.SE = {
> kdc = ad-master.ad.ifm.liu.se
> kdc = ad-slave.ad.ifm.liu.se
> admin_server = ad-master.ifm.liu.se
> kpasswd_protocol = SET_CHANGE
> }
>
> LYSATOR.LIU.SE = {
> kdc = as-master.lysator.liu.se
> kdc = as-slave.lysator.liu.se
> admin_server = as-master.lysator.liu.se
> }
>
> LIU.SE = {
> kdc = bulldog.unit.liu.se
> admin_server = bulldog.unit.liu.se
> }
This correctly maps "peter@IFM.LIU.SE" to "peter". And via the
"auth_to_local_realm" (a Solaris-specific extension I think) also
correctly maps "peter@AD.IFM.LIU.SE" to "peter".
But not "peter86@LIU.SE"... It doesn't work since the code in
lib/krb5/os/an_to_ln.c:krb5_aname_to_localname() calls the function
aname_full_to_mapping_name() which drops the realm stuff from the
principal before looking up the mapping. If I change "peter86@LIU.SE" to
just "peter86" things work better (ie the mapping takes place).
However... That will also map "peter86@LYSATOR.LIU.SE" to "peter" which
is really wrong. Or "peter86@HACKERS-R-US.RU" for that matter.
Making the thing completely useless...
I'm curious if there exists anyone anywhere that is using the
auth_to_local_name stuff as it currently stands...
Btw, when investigating this issue I found this old mail from 2003:
http://mailman.mit.edu/pipermail/krbdev/2003-November/002064.html
The same code seems to be in Kerberos 1.8 as it was then (and the same
seems to be in OpenSolaris)...
- Peter
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
