Hi folks, As I make progress with my Kerberos configuration for Apache, cross-realm support leaves something to be desired.
First, I started out with this configuration for libapache2-mod-auth-kerb (v5.4-2 on Debian wheezy): AuthType Kerberos KrbAuthRealms EXAMPLE.COM KrbServiceName Any Krb5Keytab /etc/apache2/krb5-apache.keytab KrbLocalUserMapping On AuthName "Example login" This works fine for local users, but excludes MYREALM.COM users, although the system is configured to support this additional realm. I fixed it by setting KrbLocalUserMapping to 'off', but now all the authorized login names in the 'require user' list must also include a realm, e.g. [email protected], but also [email protected]. That may not sound so bad, but it also means that those visiting the site without a Kerberos ticket must now enter their login name (for SPNEGO) that way as well, which is not exactly what I was hoping for. Is this the only way to enable cross-realm support for mod-auth-kerb, or is there a more elegant solution? Thanks, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
