KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17
System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64
User : nobody ( 99)
PHP Version : 5.2.17
Disable Function : NONE
Directory :  /proc/21572/root/usr/share/doc/pam_krb5-2.2.14/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //proc/21572/root/usr/share/doc/pam_krb5-2.2.14/README.winbind
Winbind makes users who are members of a domain appear to be normal users, with
the domain name frequently included as a prefix of the user name.  Kerberos
doesn't handle this perfectly.

Specifically, for a user named tester in domain TEST and realm
TEST.EXAMPLE.COM, we have two names.

Kerberos principal name (userPrincipalName): tester@TEST.EXAMPLE.COM
Winbind/POSIX user name:                     TEST\tester

For certain internal functions (such as access control checking using a
user's .k5login file), the library will need to convert a principal name
to a user name.  This is controlled by the 'auth_to_local_names' and
'auth_to_local' configuration settings for the default realm in /krb5.conf.
One such mapping would look like:
  [libdefaults]
    default_relam = TEST.EXAMPLE.COM
  [realms]
    TEST.EXAMPLE.COM = {
      auth_to_local = RULE:[1:$0\$1](TEST\.EXAMPLE\.COM\\.*)s/TEST\.EXAMPLE\.COM/TEST/g
      auth_to_local = DEFAULT
    }

The argument to RULE: is the concatentation of:
* An optional input formulation
  "[" number-of-components ":" template "]"
  Where number-of-components is the number of instance parts + 1, and the
  template mixes literal text with portions of the principal name ($1
  is the root part, $2 is the first instance, $3 the second, etc., $0 the
  realm in MIT krb5 1.3.4 and later).
* An optional regex
  If specified, the formulated string must match this regexp for this rule
  to be applied.
* An optional sed expression
  "s/" matchexp "/" output "/" ["g"]

The DEFAULT rule more or less equates to
  RULE:[1:$1]
and must be explicitly listed to benefit from its effects if any RULEs are
specified.

This solves one problem, but pam_krb5 needs some way to convert a user name
which is provided by PAM into a principal name, and there is no configurable
way to do this using the Kerberos libraries.  To support this, pam_krb5 has a
"mappings" configuration directive which can be used to map a user name to a
principal name.  The directive takes pairs of arguments (regexps and output
specifiers).  A specifier can refer to a substring matched in its regexp by
specifying a "$" and the relative location of the substring in the regexp.
  [appdefaults]
   pam = {
     mappings = TEST\\(.*) $1@TEST.EXAMPLE.COM
   }

Anon7 - 2021