-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
this works for me: auth_to_local = RULE:[2:$1;$...@$0](root;....@somerealm)s/;....@somerealm//g If Mark Pröhl [email protected] wrote: > Hi folks > > I'm struggling with the auth_to_local rule. > I want the principal root/samehost.some.dom...@somerealm to be mapped to the > user root. > I created the following auth_to_local rule in krb5.conf > auth_to_local = RULE:[2:$2/$...@$0](\/....@somerealm)s/\/....@.*// > > I wrote a sample test program in order to verify the authorization part: > #include <krb5.h> > #include <stdio.h> > > int main(int argc, const char **argv){ > if (argc != 3) { > fprintf(stderr,"Number of arguments incorrect\n"); > fprintf(stderr,"1) Kerberos Principal 2) Mapped Local > User\n"); > exit(1); > } > krb5_context context; > krb5_principal client; > krb5_boolean logon; > > krb5_init_context(&context); > krb5_parse_name(context,argv[1],&client); > > logon = krb5_kuserok(context, client, (char *)argv[2]); > if (logon) > fprintf(stdout,"Principal %s is authorized to login as user > %s\n",(char *)argv[1],(char *)argv[2]); > else > fprintf(stderr,"Principal %s is NOT authorized to login as > user %s\n",(char *)argv[1],(char *)argv[2]); > > krb5_free_principal(context, client); > krb5_free_context(context); > } > > Unfortunately, my test program always says the following: > > ./krb5 root/samehost.some.dom...@somerealm root > Principal root/samehost.some.dom...@somerealm is NOT authorized to login as > user root > > What's wrong with my rule? The tranformation rule is correct AFAIK. > > Thanks for your help! > > Met vriendelijke groet > Best regards > Bien à vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E [email protected] > www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use > of the individual or entity to whom it is addressed and may be protected by > professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please > immediately notify the sender and delete the message. You are hereby notified > that any unauthorized use, copying or dissemination of any or all information > contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or > in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal > except when expressly agreed otherwise in writing in a separate agreement. > **** > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoIPwEACgkQNP9kGj7lDw5MvACg4pKNBOmpgzttTVrg7rATIVoJ 3x8AoPdRG3m2Ccj+aIK/jy/S4Qpf+CIm =8QJf -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
