On Jun 27, 2007, at 1:30 PM, Peter Eriksson wrote:
> I'm investigating how to set up a really transparent trust between
> two realms (1: Unix/Solaris - "IFM.LIU.SE", and 2: Microsoft AD:
> "AD.IFM.LIU.SE" so that PC users authenticated to the AD system
> can access services handled by the Solaris realm (for example being
> able to access the mail system (SMTP AUTH and IMAP) and other stuff...
>
> Anyway, while doing that I'm currently looking at how to configure our
> Solaris servers /etc/krb5.conf so that the users in the AD.IFM.LIU.SE
> realm can be mapped to their right unix userid's (the login names are
> identical). I *think* the answer to that is the auth_to_local
> stuff, but
> the documation is really vague on how to _use_ it. And also, on
> Solaris 10
> update 3 the man page for krb5.conf only talks about
> auth_to_local_realm,
> whereas some guides I've found on the net talks about auth_to_local. A
> "strings" on the mech_krb5.so file seems to indicate though that
> both exists
> (and a third auth_to_local_names).
>
> Does *anyone* actually know how these are used?
In a word, no. ;-)
If you look in the [realms] section of the krb5.conf man page there
is some descriptive information. If you look at the admin-guide.ps
file in the MIT distribution there is a little more information.
Reading it I would suggest you try:
[realms]
...
AD.IFM.LIU.SE = {
...
auth_to_local = DEFAULT
}
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
