Jaap Winius <[email protected]> writes: > First, I started out with this configuration for > libapache2-mod-auth-kerb (v5.4-2 on Debian wheezy):
> AuthType Kerberos > KrbAuthRealms EXAMPLE.COM > KrbServiceName Any > Krb5Keytab /etc/apache2/krb5-apache.keytab > KrbLocalUserMapping On > AuthName "Example login" > This works fine for local users, but excludes MYREALM.COM users, > although the system is configured to support this additional realm. > I fixed it by setting KrbLocalUserMapping to 'off', but now all the > authorized login names in the 'require user' list must also include a > realm, e.g. [email protected], but also [email protected]. That may > not sound so bad, but it also means that those visiting the site without > a Kerberos ticket must now enter their login name (for SPNEGO) that way > as well, which is not exactly what I was hoping for. I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another option is to leave it on and change, in the Kerberos configuration, how local user mapping is done to, for example, treat MYREALM.COM as a second local realm (if that's appropriate). However, I'm not sure if that works with password prompts, since the system still needs to know which principal to use for authentication when authenticating with a password. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
