I am trying to understand the method in which auth_to_local determines "local names" for mapping purposes. According to the docs:
"This tag allows you to set a general rule for mapping principal names to local user names" I have an application which is utilizing AD for kerberos logins (and ldap data). The application can be configured in two modes: 1) The application can be configured to prepend the NT (short) domain name (e.g. DOMAIN\), logins will require only the format `username` - a `whoami`/`id -un` will result in `username` - `getent passwd user` will result in a hit in the same format (as expected) - `getent passwd DOMAIN\\username` will *also* result in a hit (same format as `getent passwd username`) - nss calls (e.g. 'ls -l') will return just `username` *In other words: - when we prepend the domain name, we are able to resolve the user through either the username or the fully qualified name. But the system will always return the username only - although only `username` is required, `DOMAIN\username` can still be used to resolve users To get SSO working, my auth_to_local rule is the following: auth_to_local = RULE:[1:$0\$1](^DOMAIN\.COM\\.*)s/^DOMAIN\.COM\\// This converts the [email protected] UPN to DOMAIN.COM\username then it replaces DOMAIN.COM with null to result simply in: `username` The `username` format is then recognized by the remote system and all works as expected. Additionally, the `DOMAIN\username` format also works in this method. In short - no problems here. HOWEVER - the second mode: 2) The application is configured to require the full NT style syntax, logins will require the format `DOMAIN\username` - a `whoami`/`id -un` will result in `DOMAIN\username` - `getent passwd DOMAIN\\username` will result in a hit in the same format (FQDN) - `getent passwd username` will not return data (as expected, since we have no prepended domain) - nss calls (e.g. 'ls -l') will return `DOMAIN\username` The above auth_to_local rule is not working, I have found that in order to properly map users when using method A, I create a rule like this: auth_to_local = RULE:[1:$0\$1](^DOMAIN\.COM\\.*)s/^DOMAIN\.COM/DOMAIN/ This converts the [email protected] UPN to DOMAIN.COM\username then it replaces DOMAIN.COM with DOMAIN to result in: DOMAIN\username The `DOMAIN\username` format is recognized by the remote system and all works as expected. I then attempted to use this new auth_to_local rule with mode #1 (prepending the DOMAIN\). Since, in this mode, we can process both the `DOMAIN\username` and `username` formats. However, even though this auth_to_local rule will now output in `DOMAIN\username`, and the system can resolve (id, getent) that syntax, the rule does not work. The question is why must the auth_to_local rule be updated to return only in the `user` format for this to work? How and where is this local user being determined? Ideally I am trying to craft a rule that would work in all scenarios - I see no reason why the rule from #2 would not support both configurations. I am also trying to not rely on a .k5login file (which would make this whole mapping unnecessary I believe) Thank you for your time. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
