Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Auth_to_local rule to convert Camel-Case principals to all lower-case...
1,160 views
Skip to first unread message
spikew...@gmail.com
Aug 3, 2013, 4:40:49 PM8/3/13
to
Hello.
I am a Linux admin, attempting to authenticate against several large installed AD forests.
Or rather, we have been doing this for years, I'm just exploring some of the nuances of SSH's GSSAPI-based SSO.
All of our default principal names are in camel-case. For example:
Spike...@AMER.EXAMPLE.COM
Why? I suppose because the Windows admins that originally set up these AD forest liked camel-case and Windows is case-insenstive (for principal name.)
Not so Linux. This breaks SSO, as all Linux logins are lower case.
I can create a .k5login file under my home dir as so:
Spike...@AMER.EXAMPLE.COM
and that allows me to SSO to my 'spike_white' account. But instead of requiring a .k5login for every Linux user on every Linux server, I'd prefer to use /etc/krb5.conf auth_to_local rules to convert from uppercase to lower case.
That is, I'd prefer for krb5_kuserok() to match against spike...@AMER.EXAMPLE.COM, instead of the principal name (found in the client-supplied KRB5 TGT) of Spike...@AMER.EXAMPLE.COM.
The problem is I'm unsure of the auth_to_local rules syntax. To convert from upper case to lower case.
If this were sed-like syntax, I'd do:
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = {
RULE:[1:$1](^.*$)s/\(.*\)/\L\1/
DEFAULT
}
}
If this were tr-like syntax I could do:
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = {
RULE:[1:$1](^.*$)s/[A-Z]/[a-z]/g
DEFAULT
}
}
Yet another possibility would be to write 26 sequentially rules:
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = {
RULE:[1:$1](^.*$)s/A/a/g
RULE:[1:$1](^.*$)s/B/b/g
...
RULE:[1:$1](^.*$)s/Z/z/g
DEFAULT
}
}
Which of these is the proper way to write the rule?
Spike
I am a Linux admin, attempting to authenticate against several large installed AD forests.
Or rather, we have been doing this for years, I'm just exploring some of the nuances of SSH's GSSAPI-based SSO.
All of our default principal names are in camel-case. For example:
Spike...@AMER.EXAMPLE.COM
Why? I suppose because the Windows admins that originally set up these AD forest liked camel-case and Windows is case-insenstive (for principal name.)
Not so Linux. This breaks SSO, as all Linux logins are lower case.
I can create a .k5login file under my home dir as so:
Spike...@AMER.EXAMPLE.COM
and that allows me to SSO to my 'spike_white' account. But instead of requiring a .k5login for every Linux user on every Linux server, I'd prefer to use /etc/krb5.conf auth_to_local rules to convert from uppercase to lower case.
That is, I'd prefer for krb5_kuserok() to match against spike...@AMER.EXAMPLE.COM, instead of the principal name (found in the client-supplied KRB5 TGT) of Spike...@AMER.EXAMPLE.COM.
The problem is I'm unsure of the auth_to_local rules syntax. To convert from upper case to lower case.
If this were sed-like syntax, I'd do:
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = {
RULE:[1:$1](^.*$)s/\(.*\)/\L\1/
DEFAULT
}
}
If this were tr-like syntax I could do:
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = {
RULE:[1:$1](^.*$)s/[A-Z]/[a-z]/g
DEFAULT
}
}
Yet another possibility would be to write 26 sequentially rules:
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = {
RULE:[1:$1](^.*$)s/A/a/g
RULE:[1:$1](^.*$)s/B/b/g
...
RULE:[1:$1](^.*$)s/Z/z/g
DEFAULT
}
}
Which of these is the proper way to write the rule?
Spike
Message has been deleted
dant...@gmail.com
Mar 31, 2015, 11:03:13 AM3/31/15
to
Ever figure this out? I'm trying to do the same thing.
Message has been deleted
ken.s...@omes.ok.gov
Dec 5, 2016, 7:28:28 PM12/5/16
to
Try coding something like the following depending on your domain name:
[libdefaults]
default_realm = AMER.EXAMPLE.COM
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = RULE:[1:$0\$1](AMER.EXAMPLE.COM\\.*)s/A/a/g s/B/b/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/amer.example.com/AMER/
}
auth_to_local = RULE:[1:$0\$1](ASIA.EXAMPLE.COM\\.*)s/A/a/g s/B/b/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/asia.example.com/ASIA/
}
I also am adding code to show how to support multiple domains that have trusts between them. In this example there must be a trust between realm AMER.EXAMPLE.COM and realm ASIA.EXAMPLE.COM (domain ASIA).
If you are not prefixing your userid with a domain name like AMER\userid then you could simply code
[realms]
AMER.EXAMPLE.COM = = {
auth_to_local = RULE:[1:$0\$1](AMER.EXAMPLE.COM\\.*)s/A/a/g s/B/b/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/amer.example.com\\//
}
Ken
[libdefaults]
default_realm = AMER.EXAMPLE.COM
[realms]
AMER.EXAMPLE.COM = {
auth_to_local = RULE:[1:$0\$1](AMER.EXAMPLE.COM\\.*)s/A/a/g s/B/b/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/amer.example.com/AMER/
}
auth_to_local = RULE:[1:$0\$1](ASIA.EXAMPLE.COM\\.*)s/A/a/g s/B/b/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/asia.example.com/ASIA/
}
I also am adding code to show how to support multiple domains that have trusts between them. In this example there must be a trust between realm AMER.EXAMPLE.COM and realm ASIA.EXAMPLE.COM (domain ASIA).
If you are not prefixing your userid with a domain name like AMER\userid then you could simply code
[realms]
AMER.EXAMPLE.COM = = {
auth_to_local = RULE:[1:$0\$1](AMER.EXAMPLE.COM\\.*)s/A/a/g s/B/b/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/amer.example.com\\//
}
Ken
Spike White
Oct 13, 2017, 12:49:03 PM10/13/17
to
Apparently in Cloudera's implementation of Kerberos, you can do an auth_to_local syntax like this:
RULE[2:$1@$0](.*@\QAPAC.DELL.COM\E$)s/@\QAPAC.DELL.COM\E$//L
The magic is the '/L' on the end. Hortonworks has a similar syntax:
https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html
What the above is doing is stripping off any '@APAC.DELL.COM' from the end and converting the resulting local name to lower case.
Similarly, I should be able to do this for simple names:
[realms]
AMER.DELL.COM = {
auth_to_local = RULE:[1:$1]s/(.*)/$1//L
auth_to_local = DEFAULT
}
However, it's unclear to me if /L is std MIT Kerberos, or extensions added by Hadoop.
Spike
RULE[2:$1@$0](.*@\QAPAC.DELL.COM\E$)s/@\QAPAC.DELL.COM\E$//L
The magic is the '/L' on the end. Hortonworks has a similar syntax:
https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html
What the above is doing is stripping off any '@APAC.DELL.COM' from the end and converting the resulting local name to lower case.
Similarly, I should be able to do this for simple names:
[realms]
AMER.DELL.COM = {
auth_to_local = RULE:[1:$1]s/(.*)/$1//L
auth_to_local = DEFAULT
}
However, it's unclear to me if /L is std MIT Kerberos, or extensions added by Hadoop.
Spike
0 new messages