Return-Path: Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 5D9CF3ECB1; Fri, 30 Sep 2016 13:18:09 -0400 (EDT) Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id u8UHI9lg016764; Fri, 30 Sep 2016 13:18:09 -0400 Received: from mailhub-dmz-1.mit.edu (mailhub-dmz-1.mit.edu [18.9.21.41]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id u8UE8ljF021453 for ; Fri, 30 Sep 2016 10:08:48 -0400 Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id u8UE6BK8005149 for ; Fri, 30 Sep 2016 10:08:47 -0400 X-Auditid: 1209190f-37fff70000006d76-be-57ee71b7f59e Received: from mta0.cl.cam.ac.uk (mta0.cl.cam.ac.uk [128.232.25.20]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E4.0B.28022.8B17EE75; Fri, 30 Sep 2016 10:07:52 -0400 (EDT) Received: from dirac.cl.cam.ac.uk ([128.232.65.23]) by mta0.cl.cam.ac.uk with esmtp (Exim 4.63) (envelope-from ) id 1bpyTe-0007EN-TD for krb5-bugs@mit.edu; Fri, 30 Sep 2016 15:07:50 +0100 To: krb5-bugs@mit.edu From: Markus Kuhn Subject: krb5.conf(5): documentation of auth_to_local unclear and ambiguous Message-ID: Date: Fri, 30 Sep 2016 15:07:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Authentication-Results: symauth.service.identifier X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsXS8EJSRPdd4btwg6MX1S0aHh5nd2D0aDpz lDmAMYrLJiU1J7MstUjfLoEr49/7q6wFX4Urnr1bwNzA2MDfxcjJISFgIrFl7nPmLkYuDiGB qUwSS5/0skM4dxklZr1tYAGpEhEQlXj59xiYzSagI3G/7yMziC0s4C0xYeNiJhCbV8Be4uGU a6xdjBwcLAKqEhPfOIKERQUiJG497GCBKBGUODnzCZjNLGAmMW/zQ2YIW16ieetsMJtRwEhi 97lXrBMYeWchaZmFpGUWkpYFjMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdE30cjNL9FJTSjcx AkNJiFOSfwfjnAbvQ4wCHIxKPLwnot6FC7EmlhVX5h5ilORgUhLllT36NlyILyk/pTIjsTgj vqg0J7X4EKMEB7OSCG9LHlA5b0piZVVqUT5MSpqDRUmct2vGgXAhgfTEktTs1NSC1CKYLBMH +yFGGQ4OJQlejwKgbsGi1PTUirTMnBJkNZwgggtkDQ/IGpBC3uKCxNzizHSIolOMilLivBPy gRICIImM0jy4AbD4v8QoKyXMy8jAwCDEA3QB0OOo8q8YxYGeFub9BTKeJzOvBG76K6DFTECL 84++AVlckoiQkmpgrLwbMTO+6+gFk9PBD3NnqdS9DlrUcjGOr/ri7bJNMVxXk3Qr+qbOMmP+ sWz35dK6HwKv1auaJZWzuc/9XtmZI3j49N//f6PLa7lWXG56sm3RPDfz3bVbF9bu4i7eXvGE /ca2fXvvfZnE/uAit/n6vuTf8hx/b8RmVAbxsTf/vcdsoezjrzXtrhJLcUaioRZzUXEiAOIK v636AgAA X-Mailman-Approved-At: Fri, 30 Sep 2016 13:18:08 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 2479 The krb5.conf(5) man page currently says: [realms] Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection: [...] auth_to_local This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being transā€ lated. At no point does the manual page say, what meaning the tag in the [realms] section has in the context of auth_to_local, i.e. how the realm tag affects under which condition the specifiedauth_to_local rule is applied. In other words, if I have in krb5.conf something like [realms] REALM1.COM = { auth_to_local = ... } REALM2.COM = { auth_to_local = ... } please explain more clearly under which condition the first or the second auth_to_local tag is applied. If a client user A@REALM1.COM connects to a server B@REALM2.COM, and I want to use auth_to_local to translate A@REALM1.COM into a local user A, do I have to place that auth_to_local tag in a subsection REALM1.COM = { auth_to_local = ... } or REALM2.COM = { auth_to_local = ... } Is the realm tag here the one of the client principal in the ticket, or the one of the server principal in the ticket, or even just the default_realm of the server? It would be great if the krb5.conf man page answered that question in a clear manner, in order to clarify the semantics of auth_to_local in a cross-realm context. One common use of auth_to_local is to allow users from other realms into a server, as mentioned at http://superuser.com/questions/808461/cross-realm-kerberos-authentication-with-ssh Unfortunately, the current krb5.conf doesn't document the semantics currently clearly enough to make it obvious how to do that. In addition: since auth_to_local uses regular expressions, it would be most helpful if the documentation stated which of the many regular expression languages out there is used (POSIX BRE/ERE/SRE, PCRE, etc.), with a reference to its full documentation. Thanks, Markus -- Markus Kuhn, Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain