On Mon, 7 Feb 2011 18:12:37 +0000 Brian Candler <[email protected]> wrote:
> Solution 2: you can map all [email protected] to [email protected] > > In krb5.conf (on the FreeBSD server) this would be something like: > > [realms] > M.DOMAIN.COM = { > auth_to_local = > RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$// > auth_to_local = DEFAULT } > > WARNING: not tested. You need to triple-check that's right, as it > could open you up to various holes if not correct. The syntax is > interesting, to say the least. Also, you need to make sure that > [email protected] and [email protected] are never two different > people. But it's a one-off config change on each host. If you want separate users you can also create users with a prefix/suffix as part of the user name for the "foreign" users: user-MEL or MEL.DOMAIN.COM-username They may not look pretty but would get the job done w/o risk of having collisions as long as the main domain username assignment follows minimal rules. First form: RULE:[1:$1@$0](^.*@MEL\.DOMAIN\.COM$)s/@MEL.DOMAIN.COM$/-MEL/ Second form: RULE:[1:$1@$0](^.*@.*$)s/(^.*)@(.*$)/\2-\1/ I haven't tested this last one, so I am not sure the syntax is correct, but it should be possible to get to a working syntax. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
