Hi folks
I'm struggling with the auth_to_local rule.
I want the principal root/samehost.some.dom...@somerealm to be mapped to the
user root.
I created the following auth_to_local rule in krb5.conf
auth_to_local = RULE:[2:$2/$...@$0](\/....@somerealm)s/\/....@.*//
I wrote a sample test program in order to verify the authorization part:
#include <krb5.h>
#include <stdio.h>
int main(int argc, const char **argv){
if (argc != 3) {
fprintf(stderr,"Number of arguments incorrect\n");
fprintf(stderr,"1) Kerberos Principal 2) Mapped Local User\n");
exit(1);
}
krb5_context context;
krb5_principal client;
krb5_boolean logon;
krb5_init_context(&context);
krb5_parse_name(context,argv[1],&client);
logon = krb5_kuserok(context, client, (char *)argv[2]);
if (logon)
fprintf(stdout,"Principal %s is authorized to login as user
%s\n",(char *)argv[1],(char *)argv[2]);
else
fprintf(stderr,"Principal %s is NOT authorized to login as user
%s\n",(char *)argv[1],(char *)argv[2]);
krb5_free_principal(context, client);
krb5_free_context(context);
}
Unfortunately, my test program always says the following:
./krb5 root/samehost.some.dom...@somerealm root
Principal root/samehost.some.dom...@somerealm is NOT authorized to login as
user root
What's wrong with my rule? The tranformation rule is correct AFAIK.
Thanks for your help!
Met vriendelijke groet
Best regards
Bien à vous
Miguel SANDERS
ArcelorMittal Gent
UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent
T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E [email protected]
www.arcelormittal.com/gent
****
This message and any attachment are confidential, intended solely for the use
of the individual or entity to whom it is addressed and may be protected by
professional secrecy or intellectual property rights.
If you have received it by mistake, or are not the named recipient(s), please
immediately notify the sender and delete the message. You are hereby notified
that any unauthorized use, copying or dissemination of any or all information
contained in this message is prohibited.
Arcelormittal shall not be liable for the message if altered, falsified, or in
case of error in the recipient.
This message does not constitute any right or commitment for ArcelorMittal
except when expressly agreed otherwise in writing in a separate agreement.
****
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
