From fce0a2c4bc75130e58f1ed0fa18db3382a7b79e4 Mon Sep 17 00:00:00 2001 From: Nancy Gilman Date: Tue, 14 Jun 1994 19:56:31 +0000 Subject: [PATCH] Nancy Gilman's changes for beta 4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3774 dc483132-0cff-0310-8789-dd5450dbe970 --- src/admin/aname/kdb5_anadd.M | 50 ++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/src/admin/aname/kdb5_anadd.M b/src/admin/aname/kdb5_anadd.M index dff7a8cff..d28606d4c 100644 --- a/src/admin/aname/kdb5_anadd.M +++ b/src/admin/aname/kdb5_anadd.M @@ -30,30 +30,49 @@ kdb5_anadd \- manipulate aname/lname translation database ] [ .B \-n .I dbname -] pname lname +] kerberos_principal local_name .br .B kdb5_anadd \-d [ .B \-n .I dbname -] pname +] kerberos_principal .br .SH DESCRIPTION .I kdb5_anadd -is a primitive tool for manipulating the authentication name (aname) to -local name (lname) translation database. +is a primitive tool for manipulating a database which maps +kerberos principals into user accounts on the local machine. By +default, Kerberos assumes that a kerberos principal +"username@LOCALREALM" maps into the account "username" on the local +machine. However, this assumption is not always true. + .PP -The first use described above is for entering new translations or -changing existing translations from anames to lnames. -After execution, the function -.IR krb5_aname_to_localname (3) -with its first argument passed as a principal with text representation of -.I pname -will fill in -.I lname -as the translation. +In order accomodate systems which have local usernames which are not the +same as Kerberos principals, the system administrator can use +.I krb5_anadd +to set up mappings between a kerberos name and a local account name. (If +this database is established using +.Ikrb5_anadd, +then Kerberos will not do +the default mapping; you will have to specify each mapping between a +Kerberos principal and username manually). + +.PP +For example, the following mapping can be established by +.Ikrb5_anadd: +"joechen@ATHENA.MIT.EDU" maps to "joe" by using the command: + +.PP +krb5_adadd jochen@ATHENA.MIT.EDU joe + +.PP +After this command, if joechen@ATHENA.MIT.EDU tries to do an +authenticated rlogin to the account "joe" on that machine, the Kerberos +access control mechanism will allow the login, since +joechen@ATHENA.MIT.EDU is considered to be the local user "joe". + .PP -The second use described above is for deleting translations from the +The \fB\-d\fP option deletes translations from the database; after execution the principal named by .I pname will not translate to any local name. @@ -65,5 +84,8 @@ option specifies the name of the database which holds the translation; the default database is DEFAULT_LNAME_FILENAME (usually /krb5/aname). .SH SEE ALSO krb5(3) +krb5_aname_to_localname (3) .SH BUGS The mapping is many-to-one, not many-to-many. + + -- 2.26.2