[33183] in Kerberos
Re: Kerberos cross-realm with AD
daemon@ATHENA.MIT.EDU (Simo Sorce)
Mon Feb 7 13:48:54 2011
Date: Mon, 7 Feb 2011 13:48:43 -0500
From: Simo Sorce <ssorce@redhat.com>
To: kerberos@mit.edu
Message-ID: <20110207134843.42891b67@willson.li.ssimo.org>
In-Reply-To: <20110207181237.GB5705@talktalkplc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 7 Feb 2011 18:12:37 +0000
Brian Candler <B.Candler@pobox.com> wrote:
> Solution 2: you can map all users@MEL.DOMAIN.COM to users@M.DOMAIN.COM
>
> In krb5.conf (on the FreeBSD server) this would be something like:
>
> [realms]
> M.DOMAIN.COM = {
> auth_to_local =
> RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$//
> auth_to_local = DEFAULT }
>
> WARNING: not tested. You need to triple-check that's right, as it
> could open you up to various holes if not correct. The syntax is
> interesting, to say the least. Also, you need to make sure that
> foo@M.DOMAIN.COM and foo@MEL.DOMAIN.COM are never two different
> people. But it's a one-off config change on each host.
If you want separate users you can also create users with a
prefix/suffix as part of the user name for the "foreign" users:
user-MEL or MEL.DOMAIN.COM-username
They may not look pretty but would get the job done w/o risk of having
collisions as long as the main domain username assignment follows
minimal rules.
First form:
RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$/-MEL/
Second form:
RULE:[1:$1@$0](^.*@.*$)s/(^.*)@(.*$)/\2-\1/
I haven't tested this last one, so I am not sure the syntax is correct,
but it should be possible to get to a working syntax.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
