> From: Paul Henson > Sent: Thursday, February 05, 2015 2:59 PM > > Both realms will have exactly the same set of users. Are these the only two > steps needed to allow a principal u...@csupomona.edu to directly access > services in the CPP.EDU realm transparently? Or is there something else I > need to do to allow transparency during the migration?
It turns out there is a third step required - mapping the foreign principal to a local name. That wasn't very straightforward, I came across some documentation and examples referencing auth_to_local_realm which seemed like exactly what I needed. Unfortunately, that is evidently a Solaris specific extension and doesn't work anywhere else. After some more digging, I found an example showing that adding the following two entries to the realm configuration did what I needed: auth_to_local = RULE:[1:$1] auth_to_local = DEFAULT With these entries in place for both realms, any principal from the opposite realm that tries to access a service is mapped to the same local user as a local principal. This is roughly approximate to auth_to_local_realm, other than that it applies to every foreign realm, not just specific ones. But as I only have one trust relationship, that doesn't really matter. There were some additional complications available in terms of regexps for these rules that might have allowed one to restrict it to a specific foreign realm, but I didn't bother to follow up on that as this will do what I need for the transition/migration. Thanks. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
