Re: auth_to_local

Thu, 31 Aug 2006 07:01:06 -0700 

Try something like what we used to use, see below.
This basicly says if it is in the other realm, drop the
@realm from the principal to get the local username.

Markus Moeller wrote:

> I am not sure if I understand the rules. I have two domains which trust each 
> other and I'd like to avoid the use of a .k5login to allow a user of  one 
> domain to login into a system of the other. Can I do the following ?
> 
> On a host server.a.com can I have a config file like:
> 
> [libdefaults]
>         default_realm = A.COM
> 
> [realms]
>         A.COM = {
>                 kdc = kdc.a.com
>                 admin_server = kdc.a.com
>                 auth_to_local = {
>                     RULE:[1:$1]([EMAIL PROTECTED])s/@.*/-a/

                       RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@B.COM//

>                     DEFAULT
>                 }
>         }
>         B.COM = {
>                 kdc = kdc.b.com
>                 admin_server = kdc.b.com
>                 auth_to_local = {
>                     RULE:[1:$1]([EMAIL PROTECTED])s/@.*/-b/
                        
                       RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@A.COM//


>                     DEFAULT
>                 }
>        }
> [domain_realm]
>          .a.com = A.COM
>          .b.com = B.COM
> 
> which maps a [EMAIL PROTECTED] to user-a and a [EMAIL PROTECTED] to user-b ?  
> I am also 
> not sure if I login as [EMAIL PROTECTED] on server.a.com will the realm 
> section for 
> A.COM be used or the section for B.COM ?
> 
> Is there a way to debug/test the rules ?
> 
> Thank you
> Markus
> 
> 
> "Russ Allbery" <[EMAIL PROTECTED]> wrote in message 
> news:[EMAIL PROTECTED]
> 
>>Markus Moeller <[EMAIL PROTECTED]> writes:
>>
>>
>>>Is there anywhere a documentation of how to use RULES with auth_to_local 
>>>?
>>
>>Yeah, it's in the info documentation, in the krb5-admin doc under
>>Configuration Files / krb5.conf / realms.
>>
>>-- 
>>Russ Allbery ([EMAIL PROTECTED])             <http://www.eyrie.org/~eagle/> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to