Skip Menu |
 

Date: Fri, 05 Mar 2010 13:16:09 +0100
From: Peter Eriksson <peter@ifm.liu.se>
To: krb5-bugs@mit.edu
Subject: auth_to_local_names is useless
Download (untitled) / with headers
text/plain 2.5KiB
Problem:

I want to allow users to authenticate either using our local
username/password (our local Kerberos server) *or* the new
university-wide username/password (another Kerberos server). For example
I should be able to login using either:

peter86@LIU.SE

or

peter@IFM.LIU.SE

and both should map to the local Unix user "peter". To allow this I
thought the krb5.conf "auth_to_local_names" would be the right way to
solve it, by simply include a list of principal <-> username mappings.
But alas, that doesn't seem to work....


Here's a sample krb5.conf file:

Show quoted text
> [libdefaults]
> default_realm = IFM.LIU.SE
>
> [realms]
> IFM.LIU.SE = {
> kdc = as-slave-1.ifm.liu.se
> kdc = as-slave-2.ifm.liu.se
> kdc = as-master.ifm.liu.se
> admin_server = as-master.ifm.liu.se
> auth_to_local_realm = AD.IFM.LIU.SE
> auth_to_local_names = {
> peter86@LIU.SE = peter
> }
> }
>
> AD.IFM.LIU.SE = {
> kdc = ad-master.ad.ifm.liu.se
> kdc = ad-slave.ad.ifm.liu.se
> admin_server = ad-master.ifm.liu.se
> kpasswd_protocol = SET_CHANGE
> }
>
> LYSATOR.LIU.SE = {
> kdc = as-master.lysator.liu.se
> kdc = as-slave.lysator.liu.se
> admin_server = as-master.lysator.liu.se
> }
>
> LIU.SE = {
> kdc = bulldog.unit.liu.se
> admin_server = bulldog.unit.liu.se
> }

This correctly maps "peter@IFM.LIU.SE" to "peter". And via the
"auth_to_local_realm" (a Solaris-specific extension I think) also
correctly maps "peter@AD.IFM.LIU.SE" to "peter".

But not "peter86@LIU.SE"... It doesn't work since the code in
lib/krb5/os/an_to_ln.c:krb5_aname_to_localname() calls the function
aname_full_to_mapping_name() which drops the realm stuff from the
principal before looking up the mapping. If I change "peter86@LIU.SE" to
just "peter86" things work better (ie the mapping takes place).

However... That will also map "peter86@LYSATOR.LIU.SE" to "peter" which
is really wrong. Or "peter86@HACKERS-R-US.RU" for that matter.
Making the thing completely useless...

I'm curious if there exists anyone anywhere that is using the
auth_to_local_name stuff as it currently stands...

Btw, when investigating this issue I found this old mail from 2003:
http://mailman.mit.edu/pipermail/krbdev/2003-November/002064.html

The same code seems to be in Kerberos 1.8 as it was then (and the same
seems to be in OpenSolaris)...

- Peter