[kerberos-discuss] auth_to_local_names isn't really working

Thu, 11 Mar 2010 01:09:02 -0700 

On 03/ 5/10 07:26 AM, Peter Eriksson wrote:
>  It seems it strips the realm part of the principal before looking up the 
> mapping to the local user, which makes it more or less useless... (This seems 
> to be the same in Solaris, OpenSolaris and the latest MIT Kerberos 1.8 btw).
>
>  Ie, given the included krb5.conf below the system correctly maps peter at 
> IFM.LIU.SE and peter at AD.IFM.LIU.SE to peter. But it fails to map peter86 
> at LIU.SE to peter.
>
>
>  If I change peter86 at LIU.SE to just peter86 below then it works. But... 
> that will map peter86@<anything>   to peter. Like peter86 at 
> LYSATOR.LIU.SE... or peter86 at HACKERS-R-US.COM... Not what I want...
>
>  (The problem is located in 
> onnv-gate/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c in the 
> OpenSolaris source, in the function krb5_aname_to_localname() which calls 
> aname_full_to_mapping_name() which strips the realm from the principal string 
> before looking up the mapping).
>
>
>  [libdefaults]
>           default_realm = IFM.LIU.SE
>
>  [realms]
>           IFM.LIU.SE = {
>                   kdc = as-slave-1.ifm.liu.se
>                   kdc = as-slave-2.ifm.liu.se
>                   kdc = as-master.ifm.liu.se
>                   admin_server = as-master.ifm.liu.se
>                   auth_to_local_realm = AD.IFM.LIU.SE
>                   auth_to_local_names = {
>                          peter86 at LIU.SE = peter
>                   }
>           }
>
>           AD.IFM.LIU.SE = {
>                   kdc = ad-master.ad.ifm.liu.se
>                   kdc = ad-slave.ad.ifm.liu.se
>                   admin_server = ad-master.ifm.liu.se
>                   kpasswd_protocol = SET_CHANGE
>           }
>
>           LYSATOR.LIU.SE = {
>                   kdc = as-master.lysator.liu.se
>                   kdc = as-slave.lysator.liu.se
>                   admin_server = as-master.lysator.liu.se
>           }
>
>           LIU.SE = {
>                   kdc = bulldog.unit.liu.se
>                   admin_server = bulldog.unit.liu.se
>           }
>
>  I'm now running out of ideas on how to solve this. Tried the "auth_to_local 
> RULE" variant, but it seems that hack only supported one RULE on Solaris 10 
> (perhaps it supports more in OpenSolaris?)
>
>  Anyone got some other ideas?
>

Maybe I'm missing something, but the authenticated user is in the LIU.SE
realm, no?  If so then why is there no mapping defined in the realm's
relation subsection?

-- 
Shawn.

Reply via email to