auth_to_local - Kerberos

This is a discussion on auth_to_local - Kerberos ; Is there anywhere a documentation of how to use RULES with auth_to_local ? Thanks Markus...

+ Reply to Thread
Results 1 to 4 of 4

Thread: auth_to_local

  1. auth_to_local

    Is there anywhere a documentation of how to use RULES with auth_to_local ?

    Thanks
    Markus



  2. Re: auth_to_local

    Markus Moeller writes:

    > Is there anywhere a documentation of how to use RULES with auth_to_local ?


    Yeah, it's in the info documentation, in the krb5-admin doc under
    Configuration Files / krb5.conf / realms.

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: auth_to_local

    I am not sure if I understand the rules. I have two domains which trust each
    other and I'd like to avoid the use of a .k5login to allow a user of one
    domain to login into a system of the other. Can I do the following ?

    On a host server.a.com can I have a config file like:

    [libdefaults]
    default_realm = A.COM

    [realms]
    A.COM = {
    kdc = kdc.a.com
    admin_server = kdc.a.com
    auth_to_local = {
    RULE:[1:$1](.*@A.COM)s/@.*/-a/
    DEFAULT
    }
    }
    B.COM = {
    kdc = kdc.b.com
    admin_server = kdc.b.com
    auth_to_local = {
    RULE:[1:$1](.*@B.COM)s/@.*/-b/
    DEFAULT
    }
    }
    [domain_realm]
    .a.com = A.COM
    .b.com = B.COM

    which maps a user@A.COM to user-a and a user@B.COM to user-b ? I am also
    not sure if I login as user@B.COM on server.a.com will the realm section for
    A.COM be used or the section for B.COM ?

    Is there a way to debug/test the rules ?

    Thank you
    Markus


    "Russ Allbery" wrote in message
    news:87veoc71xu.fsf@windlord.stanford.edu...
    > Markus Moeller writes:
    >
    >> Is there anywhere a documentation of how to use RULES with auth_to_local
    >> ?

    >
    > Yeah, it's in the info documentation, in the krb5-admin doc under
    > Configuration Files / krb5.conf / realms.
    >
    > --
    > Russ Allbery (rra@stanford.edu)




  4. Re: auth_to_local

    Try something like what we used to use, see below.
    This basicly says if it is in the other realm, drop the
    @realm from the principal to get the local username.

    Markus Moeller wrote:

    > I am not sure if I understand the rules. I have two domains which trust each
    > other and I'd like to avoid the use of a .k5login to allow a user of one
    > domain to login into a system of the other. Can I do the following ?
    >
    > On a host server.a.com can I have a config file like:
    >
    > [libdefaults]
    > default_realm = A.COM
    >
    > [realms]
    > A.COM = {
    > kdc = kdc.a.com
    > admin_server = kdc.a.com
    > auth_to_local = {
    > RULE:[1:$1](.*@A.COM)s/@.*/-a/


    RULE:[1:$1@$0](^.*@B.COM$)s/@B.COM//

    > DEFAULT
    > }
    > }
    > B.COM = {
    > kdc = kdc.b.com
    > admin_server = kdc.b.com
    > auth_to_local = {
    > RULE:[1:$1](.*@B.COM)s/@.*/-b/


    RULE:[1:$1@$0](^.*@A.COM$)s/@A.COM//


    > DEFAULT
    > }
    > }
    > [domain_realm]
    > .a.com = A.COM
    > .b.com = B.COM
    >
    > which maps a user@A.COM to user-a and a user@B.COM to user-b ? I am also
    > not sure if I login as user@B.COM on server.a.com will the realm section for
    > A.COM be used or the section for B.COM ?
    >
    > Is there a way to debug/test the rules ?
    >
    > Thank you
    > Markus
    >
    >
    > "Russ Allbery" wrote in message
    > news:87veoc71xu.fsf@windlord.stanford.edu...
    >
    >>Markus Moeller writes:
    >>
    >>
    >>>Is there anywhere a documentation of how to use RULES with auth_to_local
    >>>?

    >>
    >>Yeah, it's in the info documentation, in the krb5-admin doc under
    >>Configuration Files / krb5.conf / realms.
    >>
    >>--
    >>Russ Allbery (rra@stanford.edu)

    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread