On Sat, Nov 14, 2009 at 02:38:49PM +0000, Markus Moeller wrote:
> What is Suns take on using a pam_krb5 option to allow login from
> multiple domains like Russ's pam_krb5 module with the realm option ?
My take is this:
- PAM deals with _usernames_, i.e., PAM_USER must be a username, not a
principal name
- Solaris does support usernames of the form name at domain, via
nss_ad(5) and ID mapping
- however, currently this is limited to AD users
- cross-Unix domain ID mapping is theoretically feasible (I've
blogged about this)
- support is limited in nss_ad(5), and this is, for now, fatal --
nss_ad(5) would need enhancements)
- PAM modules need to learn about name at domain and do the Right Thing
- for pam_krb5 this means finding the realm name corresponding to
the given domain name, building a user principal as name at REALM,
doing authentication as usual, and... some module should
probably exist to apply additional authorization checks (e.g.,
"no users from domain A allowed here")
- for pam_ldap that may mean finding the DN of the user and the
location of the posixAccount object with that DN and proceeding
as usual (see above)
- for pam_unix that may mean "sorry, no @domain supported,
PAM_IGNORE (or some PAM error?)"
- there's a variety of places where we need to be careful to either
enable the use of ephemeral IDs or ensure that ephemeral IDs don't
break things:
- e.g., /var/lastlog
> I have a setup where we have a Windows forest with two domains which
> trust each other. We can configure Kerberos enabled application to
> accept (e.g. ssh) users either from either domain (using
> auth_to_local). But we have also applications which just use pam and I
> would like that users from either domain can login. With Russ's module
> I can stack two pam_krb5 lines with two different realms.
You're using AD, so you're part of the way there.
> Are there other ways to achieve this ? Does Sun support user at domain
> as userid which would be possible if the general user lenght wouldn't
> be limited to 12 (I think) ?
For ID mapping purposes we support them. We use sAMAccountName for the
canonical AD username, so you're limited to 20 characters (bytes) for
the name part (for the domain part DNS limits apply).
In other places the username length limits vary, and they ought to all
be fixed, really.
Nico
--
