README.winbind
Winbind makes users who are members of a domain appear to be normal users, with the domain name frequently included as a prefix of the user name. Kerberos doesn't handle this perfectly. Specifically, for a user named tester in domain TEST and realm TEST.EXAMPLE.COM, we have two names. Kerberos principal name (userPrincipalName): tester@TEST.EXAMPLE.COM Winbind/POSIX user name: TEST\tester For certain internal functions (such as access control checking using a user's .k5login file), the library will need to convert a principal name to a user name. This is controlled by the 'auth_to_local_names' and 'auth_to_local' configuration settings for the default realm in /krb5.conf. One such mapping would look like: [libdefaults] default_relam = TEST.EXAMPLE.COM [realms] TEST.EXAMPLE.COM = { auth_to_local = RULE:[1:$0\$1](TEST\.EXAMPLE\.COM\\.*)s/TEST\.EXAMPLE\.COM/TEST/g auth_to_local = DEFAULT } The argument to RULE: is the concatentation of: * An optional input formulation "[" number-of-components ":" template "]" Where number-of-components is the number of instance parts + 1, and the template mixes literal text with portions of the principal name ($1 is the root part, $2 is the first instance, $3 the second, etc., $0 the realm in MIT krb5 1.3.4 and later). * An optional regex If specified, the formulated string must match this regexp for this rule to be applied. * An optional sed expression "s/" matchexp "/" output "/" ["g"] The DEFAULT rule more or less equates to RULE:[1:$1] and must be explicitly listed to benefit from its effects if any RULEs are specified. This solves one problem, but pam_krb5 needs some way to convert a user name which is provided by PAM into a principal name, and there is no configurable way to do this using the Kerberos libraries. To support this, pam_krb5 has a "mappings" configuration directive which can be used to map a user name to a principal name. The directive takes pairs of arguments (regexps and output specifiers). A specifier can refer to a substring matched in its regexp by specifying a "$" and the relative location of the substring in the regexp. [appdefaults] pam = { mappings = ^TEST\\(.*)$ $1@TEST.EXAMPLE.COM }