On Thu, 2014-08-14 at 20:47 +0000, Jaap Winius wrote: > On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote: > > > Keep in mind that this will make [email protected] and [email protected] > > effectively the same user... > > Yes, a nuance that did not escape me. In fact, I imagined that it was for > security reasons that auth_to_local could only be applied to members of > the default realm. This meant Greg's solution and explanation was all the > more surprising to me. > > > .. for all applications (including Apache and SSH). > > Like I said in my last post, I was worried about that too, but for SSH at > least it appears not to be a problem: I can use it to connect to the same > host, run klist and see that I still have a MYREALM.COM tgt. OpenAFS > doesn't care either. However, I haven't yet tested this with all of the > other services.
What you observe is expected when you use PAM authentication in OpenSSH (ie you enter username/password at the prompt), however should you use GSSAPI authentication instead then both [email protected] and [email protected] would be logged in as 'foo'. > > If you do not want that what you can do is to change the first line to > > something like: > > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/^\(.*\)@MYREALM.COM$/ > myrealm-\1/ > > An excellent idea! However, your syntax here is a bit buggy. The > parentheses in the first half of the substitution string should not be > escaped, while the '\1' in the replacement doesn't work; it gets > translated literally, just as $1 is. (Why doesn't it work?) > > > or: > > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/ > @myrealm.com/ > > This works in principle, but an entry shows up in the Apache error log if > the resulting string has more than 14 characters (even if a string to > match it exists in the 'require user' list): > > krb5_aname_to_localname() failed: Insufficient space to return complete > information Sounds like a bug in your mod_auth_kerb module, in Fedora/RHEL I see a patch to deal with that set the max length to 255 > So I've came up with this slight modification of your second method: > > RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$/-m/ > > This gives '[email protected] => foo-m' and will work for users with login > names that have up to 12 characters. as long as it works for you :-) Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
