On Wed, 13 Aug 2014 18:12:20 -0700, Russ Allbery wrote:
> Hm, I don't think that's the case with MIT Kerberos, ...
Well, I tried it out anyway, but it didn't work. In Apache I set
KrbAuthRealms to include both realms and left KrbLocalUserMapping set to
'On', while in krb5.conf I had:
[realms]
EXAMPLE.COM = {
admin_server = server1.example.com
}
MYREALM.COM = {
admin_server = server1.myrealm.com
auth_to_local = DEFAULT
}
* Note: the KDC's are located via DNS.
In this case, the browser for my cross-realm account got an "Internal
Server Error" message when visiting the site, while the Apache error log
said:
krb5_aname_to_localname() found no mapping for principal
[email protected]
So, it doesn't look like the auth_to_local setting was influencing the
matter at all.
On the other hand, when I applied 'auth_to_local = DEFAULT' to EXAMPLE.COM
instead of MYREALM.COM, set KrbLocalUserMapping to 'Off', made sure
[email protected] was not included in the 'require user' list, and used
a browser on an EXAMPLE.COM client to access the site, the response was
'Authorization Required' with this in the Apache error log:
user '[email protected]' does not meet 'require'ments for user/valid-
user to be allowed access
So, either my 'auth_to_local = DEFAULT' setting isn't working at all, or
Apache just isn't picking up on the result.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
