PHP Kerberos Authentication

mod_auth_kerb will handle the actual authentication. After that, it will set the REMOTE_USER and KRB5CCNAME environment variables. Note that there are a few caveats:

• mod_auth_kerb can translate between the primary Kerberos server and the local username if the Krb5AuthToLocal option is enabled.
• If the Krb5AuthToLocal feature is enabled when authentication succeeds, mod_auth_kerb will call the Kerberos library to perform the translation from the authenticated name to the local name, since the core Kerberos principle does not always match the actual user on the operating system (you can map principals to usernames).
• When using MIT Kerberos, this mapping is done using the auth_to_local rules in the / etc / krb 5.conf file, see the krb5.conf man page for more information.
• mod_auth_kerb has a bug where the local name should not have more name than the master itself. This usually applies to principals from the default realm because they are presented without a body, that is, "user" instead of "user @REALM". However, if you have multiple trusted realms, users from non-standard realms will show up as " user@ANOTHER.REALM " and then mod_auth_kerb will worry. This bug should be fixed in Fedora 18+ and RHEL6.5, not sure about Debian as mod_auth_kerb upstream is a bit dead.
• Therefore, your REMOTE_USER variable will contain the name of the main or local Kerberos user, depending on how mod_auth_kerb was configured. If your application relies on the REMOTE_USER value to be a real existing system user, you need to ensure that the Krb5AuthToLocal option is enabled and such users are visible on the system (via winbind or sssd).

In your case, I would recommend doing a great study by Tom McLaughlin: http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/