On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote: > Keep in mind that this will make [email protected] and [email protected] > effectively the same user...
Yes, a nuance that did not escape me. In fact, I imagined that it was for security reasons that auth_to_local could only be applied to members of the default realm. This meant Greg's solution and explanation was all the more surprising to me. > .. for all applications (including Apache and SSH). Like I said in my last post, I was worried about that too, but for SSH at least it appears not to be a problem: I can use it to connect to the same host, run klist and see that I still have a MYREALM.COM tgt. OpenAFS doesn't care either. However, I haven't yet tested this with all of the other services. > If you do not want that what you can do is to change the first line to > something like: > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/ myrealm-\1/ An excellent idea! However, your syntax here is a bit buggy. The parentheses in the first half of the substitution string should not be escaped, while the '\1' in the replacement doesn't work; it gets translated literally, just as $1 is. (Why doesn't it work?) > or: > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/ @myrealm.com/ This works in principle, but an entry shows up in the Apache error log if the resulting string has more than 14 characters (even if a string to match it exists in the 'require user' list): krb5_aname_to_localname() failed: Insufficient space to return complete information So I've came up with this slight modification of your second method: RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/-m/ This gives '[email protected] => foo-m' and will work for users with login names that have up to 12 characters. Cheers, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
