It seems it strips the realm part of the principal before looking up the
mapping to the local user, which makes it more or less useless... (This seems
to be the same in Solaris, OpenSolaris and the latest MIT Kerberos 1.8 btw).
Ie, given the included krb5.conf below the system correctly maps peter at
IFM.LIU.SE and peter at AD.IFM.LIU.SE to peter. But it fails to map peter86 at
LIU.SE to peter.
If I change peter86 at LIU.SE to just peter86 below then it works. But... that
will map peter86@<anything> to peter. Like peter86 at LYSATOR.LIU.SE... or
peter86 at HACKERS-R-US.COM... Not what I want...
(The problem is located in
onnv-gate/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c in the OpenSolaris
source, in the function krb5_aname_to_localname() which calls
aname_full_to_mapping_name() which strips the realm from the principal string
before looking up the mapping).
[libdefaults]
default_realm = IFM.LIU.SE
[realms]
IFM.LIU.SE = {
kdc = as-slave-1.ifm.liu.se
kdc = as-slave-2.ifm.liu.se
kdc = as-master.ifm.liu.se
admin_server = as-master.ifm.liu.se
auth_to_local_realm = AD.IFM.LIU.SE
auth_to_local_names = {
peter86 at LIU.SE = peter
}
}
AD.IFM.LIU.SE = {
kdc = ad-master.ad.ifm.liu.se
kdc = ad-slave.ad.ifm.liu.se
admin_server = ad-master.ifm.liu.se
kpasswd_protocol = SET_CHANGE
}
LYSATOR.LIU.SE = {
kdc = as-master.lysator.liu.se
kdc = as-slave.lysator.liu.se
admin_server = as-master.lysator.liu.se
}
LIU.SE = {
kdc = bulldog.unit.liu.se
admin_server = bulldog.unit.liu.se
}
I'm now running out of ideas on how to solve this. Tried the "auth_to_local
RULE" variant, but it seems that hack only supported one RULE on Solaris 10
(perhaps it supports more in OpenSolaris?)
Anyone got some other ideas?
--
This message posted from opensolaris.org
