I'm investigating how to set up a really transparent trust between two realms (1: Unix/Solaris - "IFM.LIU.SE", and 2: Microsoft AD: "AD.IFM.LIU.SE" so that PC users authenticated to the AD system can access services handled by the Solaris realm (for example being able to access the mail system (SMTP AUTH and IMAP) and other stuff...
Anyway, while doing that I'm currently looking at how to configure our Solaris servers /etc/krb5.conf so that the users in the AD.IFM.LIU.SE realm can be mapped to their right unix userid's (the login names are identical). I *think* the answer to that is the auth_to_local stuff, but the documation is really vague on how to _use_ it. And also, on Solaris 10 update 3 the man page for krb5.conf only talks about auth_to_local_realm, whereas some guides I've found on the net talks about auth_to_local. A "strings" on the mech_krb5.so file seems to indicate though that both exists (and a third auth_to_local_names). Does *anyone* actually know how these are used? (Yes, I'm a bit frustrated. I finally after many hours figured out why Thunderbird would refuse to talk to my SSLified Dovecot IMAP server - when openssl worked, on some machines. I needed to install the SUNWcry packages... But now I've finally got GSSAPI/SSL/SMTP/IMAP working in all combinations :-) This message posted from opensolaris.org
