REMOTE_USER variable without @DOMAIN suffix

Solution 1

mod_auth_kerb is Kerberos-specific: it implements Kerberos authentication via HTTP Negotiate. In the REMOTE_USER environment variable, it therefore reports the Kerberos identification ("principal name") of the authenticated client. Kerberos principal names are written foo/bar/baz/...@REALM; the leading components are called "instances" (one most often sees only one or two), and the "realm" is a trust domain within the Kerberos system, a built-in federation mechanism. In AD, the Kerberos realm is the same as the AD "domain" name, in upper case.

mod_auth_kerb (a new enough version) has a feature called KrbLocalUserMapping. This calls the Kerberos library function krb5_aname_to_localname() to translate a principal name to a "local name;" that is, something meaningful on the local host. What this function does depends on the Kerberos implementation. In MIT Kerberos, you can customize the mapping with "auth_to_local" rules in krb5.conf. The default rule just translates foo@[default realm] -> foo, which is sufficient in simple situations in which there's a single realm and your usernames are the same as your Kerberos principal names. However, you might want more complex rules. For example, we have a convention whereby Windows administrators have a "user-admin" account with domain administrator rights, in addition to their "user" accounts. When logged into their "admin" accounts, they would get rejected when going to authenticated web services running on Unix, since "user-admin" was not recognized. We just added a mapping so that user-admin@REALM gets mapped to "user" just as user@REALM does, and this was immediately fixed transparently for all web apps. The other nice thing about doing it this way is that it works for any kerberized service which uses krb5_aname_to_localname(), as opposed to doing it with mod_map_user which would only apply to Apache.

Some people suggested just blanket mapping all user@REALM names to "user", regardless of the realm (this is what the suggested mod_map_user solution would do). Note that this is a potential security problem: if you have multiple Kerberos realms connected by cross-realm trust, then the realm portion becomes meaningful; it is part of the user identification. If you just strip it, that means an administrator in another realm can impersonate a local user to Apache just by creating an account with the same name.

Solution 2

I have recently successfully implemented something similar in a local network environment using https://github.com/Legrandin/PyAuthenNTLM2 and the ntlmv2 headers which are provided by the web browser(s).

It uses mod_python instead of having samba installed as an additional package.

Hope this helps

Hiken No Ace

Updated on September 18, 2022

Comments

Hiken No Ace over 1 year

I am trying to make a basic hangman game and here is my state :

static defaultProps = {
    maxTries: 6,// maximum incorrect tries 
    imgs: [jpg0, jpg1, jpg2, jpg3, jpg4, jpg5, jpg6], //images changing through incorrect guesses
    words: [
      "donkey",
      "apple",
      "money",
      "drink",
      "sleep",
      "legend",
      "achievement"
    ]// list of words to be picked randomly
  };
 this.state = {
      guessesNum: 0,//saves number of incorrect guesses
      answer: "",//
      guessed: [],//adds characters user typed if the answer contains
      gameOver: false // checks if game is over 
    };

I have created a method gameSetup which will pick a random word from the array of words and set the answer also guessed in beginning is _ _ _ _ _ _ so when user makes a correct guess it is replaced

 componentDidMount() {
    this.gameSetup();
  }
  gameSetup = () => {
    let word = this.props.words[
      Math.floor(Math.random() * this.props.words.length)
    ];
    console.log(word);
    let guessedArray = [];
    for (let i = 0; i < word.length; i++) {
      guessedArray.push("_");
    }
    this.setState(st => {
      return { answer: word, guessed: guessedArray };
    });
  };

The problem is when user is making guesses lets say the answer is apple
and the guessed array becomes ['a','p','p','l','e']; and I am checking if

guessed.join('')===answer then gameOver:true

but even if they are the same game over is being changed to true only on next try , because it is checking the if condition before actually setState has finished since it is asynchronous

This is how I am updating the state

userGuess = char => {
    let indexes = [];
    for (let i = 0; i < this.state.answer.length; i++) {
      if (this.state.answer[i] === char) {
        indexes.push(i);
      }
    }
    if (indexes.length === 0) {
      this.setState(st => {
        return { guessesNum: st.guessesNum + 1 };
      });
    } else {
      indexes.forEach(ind => {
        this.setState(st => {
          return { guessed: this.updateArray(st.guessed, ind, char) };
        });
      });
    }
    if (this.state.guessed.join("") === this.state.answer) {
      this.setState({ gameOver: true });
    }
  };

This is a method to update array

  updateArray = (array, index, value) => {
    array[index] = value;
    return array;
  };

How can I make it ask the condition only after the state is updated ?

Here is the JSX

render() {
    return (
      <div>
        <img src={this.props.imgs[this.state.guessesNum]} alt="0" />
        <div
          style={{
            display: "flex",
            width: "10%",
            justifyContent: "space-evenly",
            margin: "0 auto"
          }}
        >
          {this.state.guessed.map((char, index) => {
            return <p key={index}>{char}</p>;
          })}
        </div>
        <div className="letters">
          <Button guess={this.userGuess} />
        </div>
      </div>
    );
  }

And this is the Button component (acutally it holds all Buttons)

import React, { Component } from "react";

export default class Button extends Component {
  handleGuess = e => {
    this.props.guess(e.target.textContent);
  };
  render() {
    return (
      <div>
        <button onClick={this.handleGuess}>a</button>
        <button onClick={this.handleGuess}>b</button>
        <button onClick={this.handleGuess}>c</button>
        <button onClick={this.handleGuess}>d</button>
        <button onClick={this.handleGuess}>e</button>
        <button onClick={this.handleGuess}>f</button>
        <button onClick={this.handleGuess}>g</button>
        <button onClick={this.handleGuess}>h</button>
        <button onClick={this.handleGuess}>i</button>
        <button onClick={this.handleGuess}>j</button>
        <button onClick={this.handleGuess}>k</button>
        <button onClick={this.handleGuess}>l</button>
        <button onClick={this.handleGuess}>m</button>
        <button onClick={this.handleGuess}>n</button>
        <button onClick={this.handleGuess}>o</button>
        <button onClick={this.handleGuess}>p</button>
        <button onClick={this.handleGuess}>q</button>
        <button onClick={this.handleGuess}>r</button>
        <button onClick={this.handleGuess}>s</button>
        <button onClick={this.handleGuess}>t</button>
        <button onClick={this.handleGuess}>u</button>
        <button onClick={this.handleGuess}>v</button>
        <button onClick={this.handleGuess}>w</button>
        <button onClick={this.handleGuess}>x</button>
        <button onClick={this.handleGuess}>y</button>
        <button onClick={this.handleGuess}>z</button>
      </div>
    );
  }
}

Michael Hampton about 10 years

Exactly what appended the domain to the username?
Nebojsa Zivkovic about 10 years

Thst is what i am also trying to find out :-)
Nebojsa Zivkovic about 10 years

The application vendor provides a file called test_sso.php that displays the user with which the browser is trying to login into the app. It displays [email protected].
Nebojsa Zivkovic about 10 years

I think it is the web browser that sets this variable but i am not sure. I have been serching the httpd.conf and php.ini for REMOTE_USER directives but cant find any that are active...
Eugen Timm over 4 years

Probably because your array ref doesn't change. In your updateArray method try returning [...array] instead.
Hiken No Ace over 4 years

@EugenTimm no the array is updating fine , I tried your suggestion but still not working guessed array is ['w','o','r','d'] and answer is word but I have to make another random guess to make the gameOver:true
Hiken No Ace over 4 years

@EugenTimm actually no , if I make a correct guess it is updating only in next guess
Hiken No Ace over 4 years

@EugenTimm I found the reason why but I don't know how to fix it has to do with setState being asynchronous and it checks the if condition before updating the state thats the problem , do you know how can I fix ?
goto over 4 years

@HikenNoAce What do you mean by "updating only in next guess"? You mean when you select/pick another guess, that's when state is being updated? Also, can you show your JSX as well and what triggers the userGuess action. Ideally, if you could show the entire component with all the relevant code.
Hiken No Ace over 4 years

@goto1 I posteed the JSX , userGuess is passed down as a prop to Button Component which returns all the buttons with letter and those buttons trigger the userGuess , saying that it updates on next guess was wrong because I was console logging and console log was being executed before setState so my bad
goto over 4 years

So what is your issue now?
Hiken No Ace over 4 years

@goto1 when I check the condition if(guessed.join('')===answer) because setState is async it checks the condition before setState is executed and condition isn't fulfilled

Richard E. Silverman about 10 years

It is important to note that these are not the same thing (although they have a similar effect in simple situations), and there is a security problem with the mod_map_user suggestion. See the answer I posted.