[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos principal to UNIX name mapping

On Fri, Aug 05, 2005 at 03:40:23PM +0200, vadim wrote:
> Hallo everybody,
> I've got a little bit odd setup, namely, I use GSSAPI implementation
> from Heimdal and AD as KDC. Odd is that all unix user names are written
> in small letters, whereas all kerberos principals in AD are written in
> capital letters. Sometimes it causes me headaches ...

any chance you can change that?

> Now I can remember I've seen somewhere either man page or another piece
> of documentation, which was talking about mapping principals to unix
> names using regexp, where regexp could be specified in a configuration
> file like /etc/krb5.conf. I was searching now everywhere for this doc,
> but could not find anything ...

i know in modern MIT distributions, if the support is compiled in, you
can put something like

		auth_to_local = RULE:[#comps:selector](regex)s/substr1/substr2/g

which allows you do, among other stuff, static string replacements for
mapping Kerberos principal names to local account names. (the only place
i *know* it's documented for sure is in krb5/src/lib/krb5/os/an_to_ln.c.)
however, i think you need more flexibility than that (so, as long as
you're looking at the source, feel free to tweak)

(note i think there's also a bug that requires that auth_to_local direc-
tives appear in the default_realm [realms] section, even if the princi-
pals you're trying to match are from another realm. hence, this may not
be wise to do without fixing that, if you don't wanna mess up the default
mapping for non-Active-Directory accounts. i have a patch for this, but
it seems like the wrong list to be going on about this)