• AW: gss_localname() with multiple KDC/User Directories + Apache + mod_a

    From Tobias Kritten (EXT)@21:1/5 to Greg Hudson on Tue Jul 20 16:13:48 2021
    To: kerberos@mit.edu (kerberos@mit.edu)

    Hi Greg,

    thanks for your quick help!

    auth_to_local is always looked up in the default realm, not in the realm of the principal being authorized. This is why the rule has to do the annoying dance of explicitly including the realm in the [] part, matching it in the () part,
    and removing it in the s// part. Fixing this historical botch isn't trivial since the
    obvious fixes would be likely to break existing deployments. (The same problem applies to auth_to_local_names, which is even worse since there's
    no workaround aside from not doing any cross-realm.)

    Moving the auth_to_local directive into the default realm solved the issue - thank you so much! :-)

    Best,
    Tobias

    --
    Mit freundlichen Grüßen aus Dortmund,
    Tobias Kritten (EXT), Head of Internal IT
    ________________________________
    dogado GmbH
    Antonio-Segni-Straße 11
    44263 Dortmund


    Hotline: +49 (231) 28 66 200
    Fax: +49 (231) 28 66 20 20
    Website: http://www.dogado.de
    Profil auf XING: http://www.xing.com/companies/dogado
    The Cloud Sourcing Blog: http://www.dogado.de/blog
    Twitter: https://twitter.com/dogado
    Facebook: https://www.facebook.com/dogado
    Technischer Support: support@dogado.de<mailto:support@dogado.de>

    Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
    Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens

    ________________________________

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)