Hi Greg, thanks for your quick help!
> auth_to_local is always looked up in the default realm, not in the realm of > the principal being authorized. This is why the rule has to do the annoying > dance of explicitly including the realm in the [] part, matching it in the () > part, > and removing it in the s// part. Fixing this historical botch isn't trivial > since the > obvious fixes would be likely to break existing deployments. (The same > problem applies to auth_to_local_names, which is even worse since there's > no workaround aside from not doing any cross-realm.) Moving the auth_to_local directive into the default realm solved the issue - thank you so much! :-) Best, Tobias -- Mit freundlichen Grüßen aus Dortmund, Tobias Kritten (EXT), Head of Internal IT ________________________________ dogado GmbH Antonio-Segni-Straße 11 44263 Dortmund Hotline: +49 (231) 28 66 200 Fax: +49 (231) 28 66 20 20 Website: http://www.dogado.de Profil auf XING: http://www.xing.com/companies/dogado The Cloud Sourcing Blog: http://www.dogado.de/blog Twitter: https://twitter.com/dogado Facebook: https://www.facebook.com/dogado Technischer Support: supp...@dogado.de<mailto:supp...@dogado.de> Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund, Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens ________________________________ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
