To:
kerberos@mit.edu (
kerberos@mit.edu)
Hi Greg,
thanks for your quick help!
auth_to_local is always looked up in the default realm, not in the realm of the principal being authorized. This is why the rule has to do the annoying dance of explicitly including the realm in the [] part, matching it in the () part,
and removing it in the s// part. Fixing this historical botch isn't trivial since the
obvious fixes would be likely to break existing deployments. (The same problem applies to auth_to_local_names, which is even worse since there's
no workaround aside from not doing any cross-realm.)
Moving the auth_to_local directive into the default realm solved the issue - thank you so much! :-)
Best,
Tobias
--
Mit freundlichen Grüßen aus Dortmund,
Tobias Kritten (EXT), Head of Internal IT
________________________________
dogado GmbH
Antonio-Segni-Straße 11
44263 Dortmund
Hotline: +49 (231) 28 66 200
Fax: +49 (231) 28 66 20 20
Website:
http://www.dogado.de
Profil auf XING:
http://www.xing.com/companies/dogado
The Cloud Sourcing Blog:
http://www.dogado.de/blog
Twitter:
https://twitter.com/dogado
Facebook:
https://www.facebook.com/dogado
Technischer Support:
support@dogado.de<mailto:
support@dogado.de>
Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens
________________________________
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)