If the host has regcomp(), MIT Kerberos krb5_aname_to_localname() uses it, calling it with REG_EXTENDED. This means that parentheses should be usable for grouping within the regular expression. This doesn't work, however, because parentheses delimit the regular expression portion of an auth_to_local rule: [krb5.conf(5)] auth_to_local ... RULE:exp The local name will be formulated from exp. The format for exp is [n:$d..string](regexp)s/pattern/replacement/g ... and the code uses the *first* right parenthesis found after the opening one to determine the end of the expression: [localauth_rule.c:aname_do_match()] /* Find the end of the regexp and make a copy of it. */ startp = *contextp + 1; endp = strchr(startp, ')'); So, a rule like this: auth_to_local = RULE:[1:$1@$0](^(steve|stephen|steven)@REALM$)s/.*/stephen/ is misinterpreted, since regcomp is called with the expression "^(steve|stephen|steven". (Checked in MIT Kerberos 1.13.1 and a few older versions). Thanks, -- Richard E. Silverman