Douglas E. Engert wrote:
Thank you very much, auth_to_local really got me going.
Priit Randla wrote:
Douglas E. Engert wrote:
Well, of cource I didn't. When I created it, I could log in using both telnet and openssh. Thank You,do you have a .k5login file in the home directory on srv1.bbb which has [EMAIL PROTECTED]
I haven't used .rlogin-alikes a long time now...
But certainly there is another way to do that; I mean, as I have lots of workstations and
servers (~ 1000) to log on, there should be another way to maintain cross-realm trust, shouldn't it?
Yes and no. The .k5login is really authorization, it is the ACL for access to the user account on the host. By default it is assumed that users in the same realm as the server, have matching local account names and principal names, and thus no .k5login is needed.
If you want some default other then this you have to consider the policies used with the two realms, i.e. a user in one is equivalent to a user in the other, etc.
To create .k5login files for every account on every host doesn't seem like an elegant solution?
Hopefully I'm overlooking something trivial, could you please enlighten me? I really don't know...
With MIT see the auth_to_local rule in the krb5.conf:
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#krb5.conf
Its something like this, better test it:
[realms]
ONE.EYP.EE = {
...
auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@TWO.EYP.EE//
auth_to_local = DEFAULT
}
TWO.EYP.EE = {
...
}
This would say that the host in realm ONE.EYP.EE would accept a principal from realm TWO.EYP.EE as long as the user part of the principal matched the local account.
Not sure if Heimdal has any thing similiar.
Heimdal doesn't seem to have auth_to_local, I had to use 'default_realm = BBB AAA' there
for openssh to let users with [EMAIL PROTECTED] in.
Currently 'almost' all seems to work as expected - I'm so far unable to get openssh with pam on Heimdal
to save obtained TGT with flags intact - TGT gets written but without any flags. I think its got something
to do with SuSe as doing openssh the other way (from SuSe (heimdal)) to RedHat(mit)) tgt gets saved with
all required flags intact.
Regards, Priit ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
