Linux – REMOTE_USER variable without @DOMAIN suffix

active-directorylinuxsingle-sign-on

I administer an application that enables single sign on with valid AD users and runs on IIS currently.
For performance increase, I have a task to migrate the web layer to Apache/Php on Linux.

I have an AD on Win2012 Server and Apache on CentOS.
I have successfully joined the domain (TEST.COM), and can login to centos with windows user accounts.

I have also configured Kerberos and Samba and the SSO works, with one problem.

The users from AD are imported into the application without the domain name prefix/suffix.
So, if my user is TEST\myUser in the AD, in the application the user is just myUser.

The application reads the username from REMOTE_USER variable, but the username is appended with the @DOMAIN string resulting in full username being myUser@TEST.COM. Naturally the application thinks it is not a valid user, since it expects it to be just myUSer. If I add a new user in the application called myUser@TEST.COM, then SSO works fine.

Is there a way to discard the @DOMAIN attribute in REMOTE_USER variable?
How would you do it and which files need to be configured?

Best Answer

mod_auth_kerb is Kerberos-specific: it implements Kerberos authentication via HTTP Negotiate. In the REMOTE_USER environment variable, it therefore reports the Kerberos identification ("principal name") of the authenticated client. Kerberos principal names are written foo/bar/baz/...@REALM; the leading components are called "instances" (one most often sees only one or two), and the "realm" is a trust domain within the Kerberos system, a built-in federation mechanism. In AD, the Kerberos realm is the same as the AD "domain" name, in upper case.

mod_auth_kerb (a new enough version) has a feature called KrbLocalUserMapping. This calls the Kerberos library function krb5_aname_to_localname() to translate a principal name to a "local name;" that is, something meaningful on the local host. What this function does depends on the Kerberos implementation. In MIT Kerberos, you can customize the mapping with "auth_to_local" rules in krb5.conf. The default rule just translates foo@[default realm] -> foo, which is sufficient in simple situations in which there's a single realm and your usernames are the same as your Kerberos principal names. However, you might want more complex rules. For example, we have a convention whereby Windows administrators have a "user-admin" account with domain administrator rights, in addition to their "user" accounts. When logged into their "admin" accounts, they would get rejected when going to authenticated web services running on Unix, since "user-admin" was not recognized. We just added a mapping so that user-admin@REALM gets mapped to "user" just as user@REALM does, and this was immediately fixed transparently for all web apps. The other nice thing about doing it this way is that it works for any kerberized service which uses krb5_aname_to_localname(), as opposed to doing it with mod_map_user which would only apply to Apache.

Some people suggested just blanket mapping all user@REALM names to "user", regardless of the realm (this is what the suggested mod_map_user solution would do). Note that this is a potential security problem: if you have multiple Kerberos realms connected by cross-realm trust, then the realm portion becomes meaningful; it is part of the user identification. If you just strip it, that means an administrator in another realm can impersonate a local user to Apache just by creating an account with the same name.

Related Topic