Date: | Fri, 05 Mar 2010 13:16:09 +0100 |
From: | Peter Eriksson <peter@ifm.liu.se> |
To: | krb5-bugs@mit.edu |
Subject: | auth_to_local_names is useless |
Problem:
I want to allow users to authenticate either using our local
username/password (our local Kerberos server) *or* the new
university-wide username/password (another Kerberos server). For example
I should be able to login using either:
peter86@LIU.SE
or
peter@IFM.LIU.SE
and both should map to the local Unix user "peter". To allow this I
thought the krb5.conf "auth_to_local_names" would be the right way to
solve it, by simply include a list of principal <-> username mappings.
But alas, that doesn't seem to work....
Here's a sample krb5.conf file:
This correctly maps "peter@IFM.LIU.SE" to "peter". And via the
"auth_to_local_realm" (a Solaris-specific extension I think) also
correctly maps "peter@AD.IFM.LIU.SE" to "peter".
But not "peter86@LIU.SE"... It doesn't work since the code in
lib/krb5/os/an_to_ln.c:krb5_aname_to_localname() calls the function
aname_full_to_mapping_name() which drops the realm stuff from the
principal before looking up the mapping. If I change "peter86@LIU.SE" to
just "peter86" things work better (ie the mapping takes place).
However... That will also map "peter86@LYSATOR.LIU.SE" to "peter" which
is really wrong. Or "peter86@HACKERS-R-US.RU" for that matter.
Making the thing completely useless...
I'm curious if there exists anyone anywhere that is using the
auth_to_local_name stuff as it currently stands...
Btw, when investigating this issue I found this old mail from 2003:
http://mailman.mit.edu/pipermail/krbdev/2003-November/002064.html
The same code seems to be in Kerberos 1.8 as it was then (and the same
seems to be in OpenSolaris)...
- Peter
I want to allow users to authenticate either using our local
username/password (our local Kerberos server) *or* the new
university-wide username/password (another Kerberos server). For example
I should be able to login using either:
peter86@LIU.SE
or
peter@IFM.LIU.SE
and both should map to the local Unix user "peter". To allow this I
thought the krb5.conf "auth_to_local_names" would be the right way to
solve it, by simply include a list of principal <-> username mappings.
But alas, that doesn't seem to work....
Here's a sample krb5.conf file:
Show quoted text
> [libdefaults]
> default_realm = IFM.LIU.SE
>
> [realms]
> IFM.LIU.SE = {
> kdc = as-slave-1.ifm.liu.se
> kdc = as-slave-2.ifm.liu.se
> kdc = as-master.ifm.liu.se
> admin_server = as-master.ifm.liu.se
> auth_to_local_realm = AD.IFM.LIU.SE
> auth_to_local_names = {
> peter86@LIU.SE = peter
> }
> }
>
> AD.IFM.LIU.SE = {
> kdc = ad-master.ad.ifm.liu.se
> kdc = ad-slave.ad.ifm.liu.se
> admin_server = ad-master.ifm.liu.se
> kpasswd_protocol = SET_CHANGE
> }
>
> LYSATOR.LIU.SE = {
> kdc = as-master.lysator.liu.se
> kdc = as-slave.lysator.liu.se
> admin_server = as-master.lysator.liu.se
> }
>
> LIU.SE = {
> kdc = bulldog.unit.liu.se
> admin_server = bulldog.unit.liu.se
> }
> default_realm = IFM.LIU.SE
>
> [realms]
> IFM.LIU.SE = {
> kdc = as-slave-1.ifm.liu.se
> kdc = as-slave-2.ifm.liu.se
> kdc = as-master.ifm.liu.se
> admin_server = as-master.ifm.liu.se
> auth_to_local_realm = AD.IFM.LIU.SE
> auth_to_local_names = {
> peter86@LIU.SE = peter
> }
> }
>
> AD.IFM.LIU.SE = {
> kdc = ad-master.ad.ifm.liu.se
> kdc = ad-slave.ad.ifm.liu.se
> admin_server = ad-master.ifm.liu.se
> kpasswd_protocol = SET_CHANGE
> }
>
> LYSATOR.LIU.SE = {
> kdc = as-master.lysator.liu.se
> kdc = as-slave.lysator.liu.se
> admin_server = as-master.lysator.liu.se
> }
>
> LIU.SE = {
> kdc = bulldog.unit.liu.se
> admin_server = bulldog.unit.liu.se
> }
This correctly maps "peter@IFM.LIU.SE" to "peter". And via the
"auth_to_local_realm" (a Solaris-specific extension I think) also
correctly maps "peter@AD.IFM.LIU.SE" to "peter".
But not "peter86@LIU.SE"... It doesn't work since the code in
lib/krb5/os/an_to_ln.c:krb5_aname_to_localname() calls the function
aname_full_to_mapping_name() which drops the realm stuff from the
principal before looking up the mapping. If I change "peter86@LIU.SE" to
just "peter86" things work better (ie the mapping takes place).
However... That will also map "peter86@LYSATOR.LIU.SE" to "peter" which
is really wrong. Or "peter86@HACKERS-R-US.RU" for that matter.
Making the thing completely useless...
I'm curious if there exists anyone anywhere that is using the
auth_to_local_name stuff as it currently stands...
Btw, when investigating this issue I found this old mail from 2003:
http://mailman.mit.edu/pipermail/krbdev/2003-November/002064.html
The same code seems to be in Kerberos 1.8 as it was then (and the same
seems to be in OpenSolaris)...
- Peter