Jaap Winius <[email protected]> writes: > On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
>> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another >> option is to leave it on and change, in the Kerberos configuration, how >> local user mapping is done to, for example, treat MYREALM.COM as a >> second local realm (if that's appropriate). > That would be okay, but I tried that and it doesn't work. I get this in > the error log: > krb5_aname_to_localname() found no mapping for principal > [email protected] That sounds like you didn't get the right aname_to_localname configuration in your krb5.conf file, since it can't find a mapping. > So, not only is this second realm name not being stripped off as a > result, both the 'jwinius' and '[email protected]' entries in the > 'require user' list are ignored. That may make sense from a security > standpoint, as those two entries don't have to be the same person. Yes, the default behavior of krb5_aname_to_localname is to only strip the local realm. You need explicit configuration to tell it what the safe transforms are. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
