Installation and Maintenance

Multiple realms

Apache authentication to Kerberos can quite easily be extended to support multiple realms (multiple forests without trust relationship in AD terms). Just add the realm name(s) (KrbAuthRealms, list separated by spaces) to the site configuration and make sure the service name and workstation account name have the same fqdn in both Kerberos databases. The Linux system must join the first realm and update the keytab file. After that you can edit smb.conf, join the second realm and update the keytab again. Repeat this procedure for all realms you wish to support.
 
Im Active Directory Environments, a forest can comprise multiple Domains with "automatic two way transitive trusts".  Kerberos tickets are passed through this trust  without further configuration (except for the use of local names, see below). A short test showed that this works. If a forest trust (not domain trust!) is established between two different forests, there is no need for further configuration, too.
 
Apache passes username@REALM to the Remote_User variable unless you set KrbLocalUserMapping to on. In this case you have to extend the /etc/krb5.conf file with rules to map names in the section for teh default realm for each realm you use (including the default). Apache doesn't check if names are uniqe between realms, so take care of that if needed.

A sample section in krb5.conf to adjust local names from different realms would look like:

1
2
3
4
5
6
[realms]
VERBUND.LOCAL = {
auth_to_local = RULE:[1:$1@$0](.*@.*OTHER.REALM)s/@.*//
auth_to_local = DEFAULT
# auth_to_local = RULE:[1:$1@$0](.*@.*VERBUND.LOCAL)s/@.*//
}

This has to be done in an entry matching the name of the default_realm fron the "libdefaults" section, not in a section for the OTHER.REALM!



No comment has been posted yet.