+++ This bug was initially created as a clone of Bug #970547 +++
Description of problem:
When you have a web service using normal basic authentication, your logins will look like "alice" and "bob". When you then enable mod_auth_kerb on that httpd server, the logged in user will be "alice@REALM.COM" and "bob@REALM.COM". Which are completely different users in that web application's database so after using SPNEGO, people will not see their data.
It is necessary to use a
directive which is undocumented anywhere in the mod_auth_kerb documentation beyond on line in the Changes file in the mod_auth_kerb-5.4.tar.gz:
*implemented KrbLocalUserMapping i.e. to strip @REALM from username for further use
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable mod_auth_kerb and try the user names not to have the @REALM so that it matches the basic authentication.
2. Try to find the documentation.
You will only find KrbLocalUserMapping (which is what you want) on Stack Overflow.
The directive will also be in /usr/share/doc/mod_auth_kerb-5.4/README.
Basically, please amend the README shipped with the module. Of course, getting it to upstream as well (not just Fedora but module's upstream) would be the best.
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release. Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.