I am attempting to translate "local login names" to a specific Kerberos principal name. On the Kerberos server, principals for the users are stored in the format of: <username>/<group>@<REALM>.
For example, I would like the login name testUser1 to be translated to the principal name: testUser1/[email protected]
The reason I would like to use this format is so that I can enforce Kerberos access control for users part of specific groups via the kadm5.acl file. Only users within the Admins group should be authorized to create Kerberos principals.
The system is comprised of 3 separate servers: KRB-Server (krb-server.home.com), SSH-Server (ssh-server.home.com), and LDAP-Server (ldap-server.home.com). All servers are running Ubuntu 16.04. The KRB-Server is running KRB5 1.16-2 from the zodops/ubuntu-backports repository. The SSH-Server is using SSSD to enable authentication/authorization using the Kerberos authentication server and the LDAP identity/authorization server.
I have attempted to perform local user name to Kerberos principal mappings using rules defined in the auth_to_local option.
RULE:[2:$1/$2@$0](.*\/Admins@HOME\.COM)s/\/Admins@HOME\.COM//
From what I understand the first section of the rule:
[2:$1/$2@$0]
Will match the kerberos principals with two components and translate it to the format <first component>/<second component>@<realm>
The next section (.*/[email protected]) will match the result of the first section and proceed to the third and final replacement expression section which will remove the second component and realm from the principal name.
s/\/Admins@HOME\.COM//
This should translate the Kerberos principal name "testUser1/[email protected]" to the local login name "testUser1". However, this configuration does not appear to be taking effect.
The configuration files are as follows:
/etc/krb5.conf on krb-server.home.com
[libdefaults]
default_realm = HOME.COM
[realms]
HOME.COM = {
kdc = krb-server.home.com
admin_server = krb-server.home.com
master_kdc = krb-server.home.com
default_domain = home.com
database_module = openldap_ldapconf
auth_to_local = RULE:[2:$1/$2@$0](.*\/Admins@HOME\.COM)s/\/Admins@HOME\.COM//
auth_to_local = DEFAULT
}
[domain_realm]
.home.com = HOME.COM
[dbdefaults]
ldap_kerberos_container_dn = cn=krb5,dc=home,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_sasl_mech = EXTERNAL
ldap_kadmind_sasl_mech = EXTERNAL
ldap_servers = ldaps://ldap-server.home.com
ldap_conns_per_server = 5
}
[logging]
admin_server = FILE:/var/log/krb-admin-server.log
kdc = FILE:/var/log/kdc.log
default = FILE:/var/log/default-kdc.log
/etc/krb5.conf on ssh-server.home.com
[libdefaults]
default_realm = HOME.COM
[realms]
HOME.COM = {
kdc = krb-server.home.com
admin_server = krb-server.home.com
master_kdc = krb-server.home.com
default_domain = home.com
auth_to_local = RULE:[2:$1/$2@$0](.*\/Admins@HOME\.COM)s/\/Admins@HOME\.COM//
auth_to_local = DEFAULT
}
[domain_realm]
.home.com = HOME.COM
When attempting to authenticate on the SSH-Server via ssh testUser1@localhost or su -- testUser1, an error is thrown in the Kerberos KDC log file.
CLIENT_NOT_FOUND: [email protected] for krbtgt/[email protected], Client not found in Kerberos database
When I attempt to authenticate to a principal with a single component ([email protected]), the authentication works flawlessly. Unfortunately, I am unable to authenticate to two component principal names as stated above.
Are my assumptions on the auth_to_local configuration option correct? If so, can anybody shine some light on how to get this configuration to work? If not, what other solutions can I use for this problem?