Sophie

Sophie

distrib > Mandriva > 2009.1 > x86_64 > media > main-updates > by-pkgid > eb20978f2114aaee6b9a46b8c4257116 > files > 14

pam_krb5-2.3.5-0.1mdv2009.1.x86_64.rpm

Winbind makes users who are members of a domain appear to be normal users, with
the domain name frequently included as a prefix of the user name.  Kerberos
doesn't handle this perfectly.

Specifically, for a user named tester in domain TEST and realm
TEST.EXAMPLE.COM, we have two names.

Kerberos principal name (userPrincipalName): tester@TEST.EXAMPLE.COM
Winbind/POSIX user name:                     TEST\tester

For certain internal functions (such as access control checking using a
user's .k5login file), the library will need to convert a principal name
to a user name.  This is controlled by the 'auth_to_local_names' and
'auth_to_local' configuration settings for the default realm in /krb5.conf.
One such mapping would look like:
  [libdefaults]
    default_relam = TEST.EXAMPLE.COM
  [realms]
    TEST.EXAMPLE.COM = {
      auth_to_local = RULE:[1:$0\$1](TEST\.EXAMPLE\.COM\\.*)s/TEST\.EXAMPLE\.COM/TEST/g
      auth_to_local = DEFAULT
    }

The argument to RULE: is the concatentation of:
* An optional input formulation
  "[" number-of-components ":" template "]"
  Where number-of-components is the number of instance parts + 1, and the
  template mixes literal text with portions of the principal name ($1
  is the root part, $2 is the first instance, $3 the second, etc., $0 the
  realm in MIT krb5 1.3.4 and later).
* An optional regex
  If specified, the formulated string must match this regexp for this rule
  to be applied.
* An optional sed expression
  "s/" matchexp "/" output "/" ["g"]

The DEFAULT rule more or less equates to
  RULE:[1:$1]
and must be explicitly listed to benefit from its effects if any RULEs are
specified.

This solves one problem, but pam_krb5 needs some way to convert a user name
which is provided by PAM into a principal name, and there is no configurable
way to do this using the Kerberos libraries.  To support this, pam_krb5 has a
"mappings" configuration directive which can be used to map a user name to a
principal name.  The directive takes pairs of arguments (regexps and output
specifiers).  A specifier can refer to a substring matched in its regexp by
specifying a "$" and the relative location of the substring in the regexp.
  [appdefaults]
   pam = {
     mappings = TEST\\(.*) $1@TEST.EXAMPLE.COM
   }

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional