Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 5D9CF3ECB1; Fri, 30 Sep 2016 13:18:09 -0400 (EDT)
Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id u8UHI9lg016764; Fri, 30 Sep 2016 13:18:09 -0400
Received: from mailhub-dmz-1.mit.edu (mailhub-dmz-1.mit.edu [18.9.21.41]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id u8UE8ljF021453 for <krb5-bugs-incoming@mailman.mit.edu>; Fri, 30 Sep 2016 10:08:48 -0400
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id u8UE6BK8005149 for <krb5-bugs@mit.edu>; Fri, 30 Sep 2016 10:08:47 -0400
X-Auditid: 1209190f-37fff70000006d76-be-57ee71b7f59e
Received: from mta0.cl.cam.ac.uk (mta0.cl.cam.ac.uk [128.232.25.20]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id E4.0B.28022.8B17EE75; Fri, 30 Sep 2016 10:07:52 -0400 (EDT)
Received: from dirac.cl.cam.ac.uk ([128.232.65.23]) by mta0.cl.cam.ac.uk with esmtp (Exim 4.63) (envelope-from <Markus.Kuhn@cl.cam.ac.uk>) id 1bpyTe-0007EN-TD for krb5-bugs@mit.edu; Fri, 30 Sep 2016 15:07:50 +0100
To: krb5-bugs@mit.edu
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
Subject: krb5.conf(5): documentation of auth_to_local unclear and ambiguous
Message-ID: <b0e630bb-e124-aa21-b8c0-2e413a8a42b0@cl.cam.ac.uk>
Date: Fri, 30 Sep 2016 15:07:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Authentication-Results: symauth.service.identifier
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsXS8EJSRPdd4btwg6MX1S0aHh5nd2D0aDpz lDmAMYrLJiU1J7MstUjfLoEr49/7q6wFX4Urnr1bwNzA2MDfxcjJISFgIrFl7nPmLkYuDiGB qUwSS5/0skM4dxklZr1tYAGpEhEQlXj59xiYzSagI3G/7yMziC0s4C0xYeNiJhCbV8Be4uGU a6xdjBwcLAKqEhPfOIKERQUiJG497GCBKBGUODnzCZjNLGAmMW/zQ2YIW16ieetsMJtRwEhi 97lXrBMYeWchaZmFpGUWkpYFjMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdE30cjNL9FJTSjcx AkNJiFOSfwfjnAbvQ4wCHIxKPLwnot6FC7EmlhVX5h5ilORgUhLllT36NlyILyk/pTIjsTgj vqg0J7X4EKMEB7OSCG9LHlA5b0piZVVqUT5MSpqDRUmct2vGgXAhgfTEktTs1NSC1CKYLBMH +yFGGQ4OJQlejwKgbsGi1PTUirTMnBJkNZwgggtkDQ/IGpBC3uKCxNzizHSIolOMilLivBPy gRICIImM0jy4AbD4v8QoKyXMy8jAwCDEA3QB0OOo8q8YxYGeFub9BTKeJzOvBG76K6DFTECL 84++AVlckoiQkmpgrLwbMTO+6+gFk9PBD3NnqdS9DlrUcjGOr/ri7bJNMVxXk3Qr+qbOMmP+ sWz35dK6HwKv1auaJZWzuc/9XtmZI3j49N//f6PLa7lWXG56sm3RPDfz3bVbF9bu4i7eXvGE /ca2fXvvfZnE/uAit/n6vuTf8hx/b8RmVAbxsTf/vcdsoezjrzXtrhJLcUaioRZzUXEiAOIK v636AgAA
X-Mailman-Approved-At: Fri, 30 Sep 2016 13:18:08 -0400
X-Beenthere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Content-Length: 2479

The krb5.conf(5) man page currently says:

    [realms]
        Each tag in the [realms] section of the file is the name of a  Kerberos
        realm.  The value of the tag is a subsection with relations that define
        the properties of that particular realm.  For each realm, the following
        tags may be specified in the realm's subsection:
        [...]

         auth_to_local
               This tag allows you to set a general rule for mapping  principal
               names  to  local user names.  It will be used if there is not an
               explicit mapping for the principal name  that  is  being  trans‐
               lated.

At no point does the manual page say, what meaning the tag in the [realms]
section has in the context of auth_to_local, i.e. how the realm tag affects
under which condition the specifiedauth_to_local rule is applied.

In other words, if I have in krb5.conf something like

[realms]
    REALM1.COM = {
        auth_to_local = ...
    }
    REALM2.COM = {
        auth_to_local = ...
    }

please explain more clearly under which condition the first or the second
auth_to_local tag is applied.

If a client user A@REALM1.COM connects to a server B@REALM2.COM, and I want to
use auth_to_local to translate A@REALM1.COM into a local user A, do I have to
place that auth_to_local tag in a subsection

    REALM1.COM = { auth_to_local = ... }

or

    REALM2.COM = { auth_to_local = ... }

Is the realm tag here the one of the client principal in the ticket, or
the one of the server principal in the ticket, or even just the
default_realm of the server?

It would be great if the krb5.conf man page answered that question
in a clear manner, in order to clarify the semantics of auth_to_local
in a cross-realm context.

One common use of auth_to_local is to allow users from other realms into
a server, as mentioned at

   http://superuser.com/questions/808461/cross-realm-kerberos-authentication-with-ssh

Unfortunately, the current krb5.conf doesn't document the semantics
currently clearly enough to make it obvious how to do that.

In addition: since auth_to_local uses regular expressions, it would be
most helpful if the documentation stated which of the many regular expression
languages out there is used (POSIX BRE/ERE/SRE, PCRE, etc.), with a
reference to its full documentation.

Thanks,

Markus

-- 
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain