diff options
author | Andreas Schneider <asn@samba.org> | 2018-06-15 14:59:00 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-06-21 15:52:02 +0200 |
commit | 5e89a23ffaceccdc83d70a4ab2798ae25c10d580 (patch) | |
tree | 1afcb39c8e48f5c01e79e6f4b953f6a108efc94b /WHATSNEW.txt | |
parent | 47c315551745d624a8bf2eb77c7c829163ac5e9e (diff) | |
download | samba-5e89a23ffaceccdc83d70a4ab2798ae25c10d580.tar.gz |
krb5_plugin: Add winbind localauth plugin for MIT Kerberos
Applications (like OpenSSH) don't know about users and and
their relationship to Kerberos principals. This plugin allows that
Kerberos principals can be validated against local user accounts.
Administrator@WURST.WORLD -> WURST\Administrator
https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13480
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 21 15:52:02 CEST 2018 on sn-devel-144
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r-- | WHATSNEW.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b9c80cf9d80..2ceacc41995 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -53,6 +53,19 @@ net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads setspn add' should be used instead. +Local authorization plugin for MIT Kerberos +------------------------------------------- + +This plugin controls the relationship between Kerberos principals and AD +accounts through winbind. The module receives the Kerberos principal and the +local account name as inputs and can then check if they match. This can resolve +issues with canonicalized names returned by Kerberos within AD. If the user +tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), +Kerberos would return ALICE as the username. Kerberos would not be able to map +'alice' to 'ALICE' in this case and auth would fail. With this plugin account +names can be correctly mapped. This only applies to GSSAPI authentication, +not for the geting the initial ticket granting ticket. + REMOVED FEATURES ================ |