On 08/20/2013 04:23 PM, Ben H wrote: > The question is why must the auth_to_local rule be updated to return only > in the `user` format for this to work? How and where is this local user > being determined?
The application is calling krb5_kuserok() with a principal name and a local name. It sounds like in mode #1, the application is passing just the username as the local name, while in mode #2, the application is passing DOMAIN\username. If that is true, I don't think you can get both modes to work using auth_to_local rules. authname-to-localname mapping yields only one local name for a principal name. > Ideally I am trying to craft a rule that would work in all scenarios - I > see no reason why the rule from #2 would not support both configurations. > I am also trying to not rely on a .k5login file (which would make this > whole mapping unnecessary I believe) You might be interested in the k5login_directory option; search for that string in: http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html In the upcoming release 1.12, we are adding a pluggable interface for kuserok: http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/localauth.html http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html But that's in the future, and is more tailored for integrators than system administrators (as it requires writing C code and building a shared object). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
