On Thu, 14 Aug 2014 17:59:49 -0400, Simo Sorce wrote:
> What you observe is expected when you use PAM authentication in OpenSSH
> (ie you enter username/password at the prompt), however should you use
> GSSAPI authentication instead then both f...@myrealm.com and
> f...@example.com would be logged
On Thu, 2014-08-14 at 20:47 +, Jaap Winius wrote:
> On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote:
>
> > Keep in mind that this will make f...@myrealm.com and f...@example.com
> > effectively the same user...
>
> Yes, a nuance that did not escape me. In fact, I imagined that it was for
On Thu, 14 Aug 2014 09:56:35 -0400, Simo Sorce wrote:
> Keep in mind that this will make f...@myrealm.com and f...@example.com
> effectively the same user...
Yes, a nuance that did not escape me. In fact, I imagined that it was for
security reasons that auth_to_local could only be applied to mem
On Thu, 2014-08-14 at 13:29 +, Jaap Winius wrote:
> On Wed, 13 Aug 2014 23:07:03 -0400, Greg Hudson wrote:
>
> > So you need something like:
> >
> > [realms]
> > EXAMPLE.COM = {
> > auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
> > auth_to_local = DEFAULT
> > }
>
On Wed, 13 Aug 2014 23:07:03 -0400, Greg Hudson wrote:
> So you need something like:
>
> [realms]
> EXAMPLE.COM = {
> auth_to_local = RULE:[1:$1@$0](.*@MYREALM.COM)s/@MYREALM.COM$//
> auth_to_local = DEFAULT
> }
Amazing, it works! Greg, you're a genius... or just happen to know these
On 08/13/2014 09:59 PM, Jaap Winius wrote:
> [...] while in krb5.conf I had:
It turns out that the only auth_to_local relations used from krb5.conf
are the ones in the realm subsection for the default realm. It would
make more sense if it were located in [libdefaults], but this is the
historical
On Wed, 13 Aug 2014 18:12:20 -0700, Russ Allbery wrote:
> Hm, I don't think that's the case with MIT Kerberos, ...
Well, I tried it out anyway, but it didn't work. In Apache I set
KrbAuthRealms to include both realms and left KrbLocalUserMapping set to
'On', while in krb5.conf I had:
[realms
Jaap Winius writes:
> Unfortunately, this doesn't work. At first I thought I could get away
> with using simply 'auth_to_local = DEFAULT', but apparently auth_to_local
> mappings can only be applied to principals from the default realm.
Hm, I don't think that's the case with MIT Kerberos, alth
On Tue, 12 Aug 2014 18:41:20 -0700, Russ Allbery wrote:
>> Do you mean an auth_to_local mapping in krb5.conf?
>
> Yes -- I think there are multiple different ways to do it, and it
> changes between MIT and Heimdal, but that's the right place to be
> looking.
Unfortunately, this doesn't work. At
Jaap Winius writes:
> On Tue, 12 Aug 2014 18:20:47 -0700, Russ Allbery wrote:
>> That sounds like you didn't get the right aname_to_localname
>> configuration in your krb5.conf file, since it can't find a mapping.
> Do you mean an auth_to_local mapping in krb5.conf?
Yes -- I think there are mul
On Tue, 12 Aug 2014 18:20:47 -0700, Russ Allbery wrote:
>> krb5_aname_to_localname() found no mapping for principal
>> jwin...@myrealm.com
>
> That sounds like you didn't get the right aname_to_localname
> configuration in your krb5.conf file, since it can't find a mapping.
Do you mean an auth_t
Jaap Winius writes:
> On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
>> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
>> option is to leave it on and change, in the Kerberos configuration, how
>> local user mapping is done to, for example, treat MYREALM.COM as a
On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote:
> I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another
> option is to leave it on and change, in the Kerberos configuration, how
> local user mapping is done to, for example, treat MYREALM.COM as a
> second local realm (if
Jaap Winius writes:
> First, I started out with this configuration for
> libapache2-mod-auth-kerb (v5.4-2 on Debian wheezy):
> AuthType Kerberos
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName Any
> Krb5Keytab /etc/apache2/krb5-apache.keytab
> KrbLocalUserMapping On
> AuthName "Example
Hi folks,
As I make progress with my Kerberos configuration for Apache, cross-realm
support leaves something to be desired.
First, I started out with this configuration for libapache2-mod-auth-kerb
(v5.4-2 on Debian wheezy):
AuthType Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName Any
15 matches
Mail list logo