Linux SSO for multiple windows domains

Posted on

Linux SSO for multiple windows domains – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, active-directory, single-sign-on, , .

I have successfully implemented SSO on apache for windows users in the same AD domain that the apache server is in:
AD domain =
Linux server =

I set the KrbLocalUserMapping to ON in httpd.conf, as the application the users are logging into needs the part of the username to be stripped.

Now I want to enable the users from the branch offices to login to the application as well but they come from a different domain = Both domains are in a trusted relationship.

When users from try to login they get “Internal Server Error” and apache error log says “Krb5_aname_to_localname() found no mapping for principal”

My guess is that users coming from the subdomain are not getting the domain part of the username stripped.

What do i need to change and where (probably krb5.conf?). Do I need to generate a separate keytab for the branches subdomain?

Also, since it is a production server which I cannot arbitrarily restart, what services do i need to restart after changing things in the krb5.conf?

I’ve just hit the same issue as you, and thanks to this thread here, I’ve found the answer!

After turning on a second (trusted) realm in my mod_auth_kerb settings, and putting the right stuff in the keytab, if I tried to sign on with a user from the second domain I was getting errors in the httpd log like:

[auth_kerb:notice] [pid 1234] [client X.X.X.X:12345] krb5_aname_to_localname() found no mapping for principal user@BRANCHES.EXAMPLE.COM

The good news is, I’ve solved it! Details below….

Firstly, in your Apache HTTPD config, you want something like:

# Use this one for both Examples and Branches together

# Strip the realm from the username
KrbLocalUserMapping On

That tells mod_auth_kerb to accept users from either the main domain realm, or the branches one, and strip off the realm from the username. That means that goes to admin, while goes to guest

Next, assuming the MIT kerberos, you need to edit your /etc/krb5.conf file, and tell that how to map principals into usernames. For various historic reasons, this isn’t done in a libdefaults section as you might expect. It’s also not done on a per-realm section either, which caught me out. Instead, it’s done with auth_to_local entries in the [realm] section of the default realm.

By default, the krb5_aname_to_localname() libkrb5 function will remove the realm from the default realm, and leave it there otherwise. So, we have to add an entry to tell it to strip the realm from the branches realm as well. (More complex rules are also possible, see the krb5.conf man page for more)

So, we’d want our config to be something like this:

  default_realm = EXAMPLE.COM

     kdc =
     admin_server =
     auth_to_local = RULE:[1:$1@$0](^.*@BRANCHES.EXAMPLE.COM)s/@.*//
     auth_to_local = DEFAULT
     kdc =
     admin_server =

Note how the BRANCHES.EXAMPLE.COM mapping rule doesn’t live in its realm, but in the main EXAMPLE.COM realm, which is the default realm.

Also, since it is a production server which I cannot arbitrarily restart, what services do i need to restart after changing things in the krb5.conf?

Just the Apache HTTPD service needs restarting after changes

Just to add on @Gragravarr’s answer (which works very well, thanks a lot !), if you had a KrbServiceName PROTOCOL/domain.of.your.service instruction in your apache configuration, you will need to replace it with KrbServiceName Any (otherwise you will get an error, because Kerb/Apache will check your ServiceName against each Realm…)

Leave a Reply

Your email address will not be published.