I'm not sure if this will help, but it looks like Apache will send PHP the username information with the modauthkerbpackage if you use the KrbSaveCredentialsparameter. You should get two global variables in php:

我不确定这是否会有所帮助，但如果您使用该参数，Apache 似乎会使用modauthkerb包向 PHP 发送用户名信息KrbSaveCredentials。你应该在 php 中得到两个全局变量：

 $_SERVER['REMOTE_USER']
 $_SERVER['KRB5CCNAME']

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.phplooks like they have got this working.

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.php看起来他们已经开始工作了。

That way if you can see what the user is, it really isn't a requirement that php actually does the authentication.

这样，如果您可以看到用户是什么，那么实际上不需要 php 进行身份验证。

mod_auth_kerb will handle for you actual authentication. After that, it will set REMOTE_USER and KRB5CCNAME environmental variables. Note that there are few caveats:

mod_auth_kerb 将为您处理实际的身份验证。之后，它将设置 REMOTE_USER 和 KRB5CCNAME 环境变量。请注意，有几个警告：

• mod_auth_kerb can do translation between Kerberos principal and local user name if Krb5AuthToLocal option is enabled.
• If Krb5AuthToLocal is enabled, when authentication succeeds, mod_auth_kerb will call Kerberos library to perform translation from an authenticated name to a local name as Kerberos principal is not always the same as actual user in the operating system (you can map principals to usernames).
• When MIT Kerberos is in use, this mapping is performed with the help of auth_to_local rules in /etc/krb5.conf, see krb5.conf manual page for details.
• mod_auth_kerb has a bug that resulting local name should not have longer name than the principal itself. This is usually true for principals from a default realm since they presented without realm part, i.e. 'user' instead of 'user@REALM'. However, if you have several trusted realms, users from non-default realms will be shown as '[email protected]' and then mod_auth_kerb will freak out. This bug should be fixed in Fedora 18+ and RHEL6.5, not sure about Debian since mod_auth_kerb upstream is a bit dead.
• Therefore, your REMOTE_USER variable will contain either Kerberos principal or local user name, depending on how mod_auth_kerb was configured. If your application relies on the fact that REMOTE_USER value must be a real existing system user, you would need to make sure Krb5AuthToLocal option is enabled and such users are visible in the system (through winbind or sssd).

• 如果启用了 Krb5AuthToLocal 选项，mod_auth_kerb 可以在 Kerberos 主体和本地用户名之间进行转换。
• 如果启用了 Krb5AuthToLocal，当身份验证成功时，mod_auth_kerb 将调用 Kerberos 库来执行从经过身份验证的名称到本地名称的转换，因为 Kerberos 主体并不总是与操作系统中的实际用户相同（您可以将主体映射到用户名）。
• 当使用 MIT Kerberos 时，此映射是在 /etc/krb5.conf 中的 auth_to_local 规则的帮助下执行的，有关详细信息，请参阅 krb5.conf 手册页。
• mod_auth_kerb 有一个错误，即生成的本地名称不应具有比主体本身更长的名称。对于来自默认领域的主体，这通常是正确的，因为它们没有领域部分，即“用户”而不是“用户@REALM”。但是，如果您有多个受信任的领域，则来自非默认领域的用户将显示为“[email protected]”，然后 mod_auth_kerb 会吓坏了。这个错误应该在 Fedora 18+ 和 RHEL6.5 中修复，不确定 Debian 因为 mod_auth_kerb 上游有点死。
• 因此，您的 REMOTE_USER 变量将包含 Kerberos 主体或本地用户名，具体取决于 mod_auth_kerb 的配置方式。如果您的应用程序依赖于 REMOTE_USER 值必须是真实存在的系统用户这一事实，则您需要确保启用 Krb5AuthToLocal 选项并且此类用户在系统中可见（通过 winbind 或 sssd）。

For your case I'd recommend to look at excellent how to by Tom McLaughlin: http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/

对于您的情况，我建议您查看 Tom McLaughlin 的优秀方法：http: //blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/