Skip Menu |

From: Markus Kuhn <>
Subject: krb5.conf(5): documentation of auth_to_local unclear and ambiguous
Date: Fri, 30 Sep 2016 15:07:50 +0100
Download (untitled) / with headers
text/plain 2.4KiB
The krb5.conf(5) man page currently says:

Each tag in the [realms] section of the file is the name of a Kerberos
realm. The value of the tag is a subsection with relations that define
the properties of that particular realm. For each realm, the following
tags may be specified in the realm's subsection:

This tag allows you to set a general rule for mapping principal
names to local user names. It will be used if there is not an
explicit mapping for the principal name that is being transā€

At no point does the manual page say, what meaning the tag in the [realms]
section has in the context of auth_to_local, i.e. how the realm tag affects
under which condition the specifiedauth_to_local rule is applied.

In other words, if I have in krb5.conf something like

auth_to_local = ...
auth_to_local = ...

please explain more clearly under which condition the first or the second
auth_to_local tag is applied.

If a client user A@REALM1.COM connects to a server B@REALM2.COM, and I want to
use auth_to_local to translate A@REALM1.COM into a local user A, do I have to
place that auth_to_local tag in a subsection

REALM1.COM = { auth_to_local = ... }


REALM2.COM = { auth_to_local = ... }

Is the realm tag here the one of the client principal in the ticket, or
the one of the server principal in the ticket, or even just the
default_realm of the server?

It would be great if the krb5.conf man page answered that question
in a clear manner, in order to clarify the semantics of auth_to_local
in a cross-realm context.

One common use of auth_to_local is to allow users from other realms into
a server, as mentioned at

Unfortunately, the current krb5.conf doesn't document the semantics
currently clearly enough to make it obvious how to do that.

In addition: since auth_to_local uses regular expressions, it would be
most helpful if the documentation stated which of the many regular expression
languages out there is used (POSIX BRE/ERE/SRE, PCRE, etc.), with a
reference to its full documentation.



Markus Kuhn, Computer Laboratory, University of Cambridge || CB3 0FD, Great Britain