I have been trying out Kerberos under CentOS 5.5, which claims to include MIT kerberos version 1.6.1:
# rpm -qi krb5-server Name : krb5-server Relocations: (not relocatable) Version : 1.6.1 Vendor: CentOS ... URL : http://web.mit.edu/kerberos/www/ Now, in the administrator's guide on the web at http://web.mit.edu/Kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#realms%20(krb5.conf) http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#realms-_0028krb5_002econf_0029 http://web.mit.edu/Kerberos/krb5-1.7/krb5-1.7.1/doc/krb5-admin.html#realms%20(krb5.conf) it gives the following example usage of auth_to_local: [realms] ATHENA.MIT.EDU = { auth_to_local = { RULE:[2:$1](johndoe)s/^.*$/guest/ RULE:[2:$1;$2](^.*;admin$)s/;admin$// RULE:[2:$2](^.*;root)s/^.*$/root/ DEFAULT } } However, this doesn't work for me. Even just [realms] BAR.EXAMPLE.COM = { ... auth_to_local = { DEFAULT } } was rejected. sshd logs showed: debug1: userauth-request for user candlerb service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 1 debug1: An invalid name was supplied Improper format of Kerberos configuration file However, the following seems to work just fine: [realms] BAR.EXAMPLE.COM = { kdc = kdc.bar.example.com:88 admin_server = kdc.bar.example.com:749 default_domain = bar.example.com auth_to_local = RULE:[1:$...@$0](^...@foo\.example\.com$)s/@FOO.EXAMPLE.COM$// auth_to_local = DEFAULT } Based on that, I think the documentation should show: [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } But is it that the version of Kerberos bundled with RedHat/CentOS is different from the mainline MIT code? Regards, Brian Candler. P.S. The hint to try a different format of auth_to_local came from http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos