JK (Jesper Agerbo Krogh) wrote:
> Hi All. > > We have a setup with several Active Directory domains that individually > trusts > each other. Each domain translates into each own Kerberos REALM as far > as I'm understanding the systems. Yes. > > But prinicipals are unique across the realms. Thus if [EMAIL PROTECTED] > exixts, > then > It doesn't exist in the other realms. By convention, realm names are unique as they are derived fom DNS names that principal names are also unique. But if you mean the CN or samAccountName in AD in a forest, then these are unique in the forest. Note that the UPN of an AD account does not have to match the CN. > > I'd like to use kerberos for the password lookup in the Linux system > using pam. This > Works fine with one "realm" but since the system only looks up users in > the "default realm" I cannot validate users from the other realms. > > (This is pam for login on Linux Server/Workstations) Problem is PAM is under specified, expecting the user to give the local user account name, and some password. When used with Kerberos, you need the principal, [EMAIL PROTECTED] where user may not match the local user account name. You could change PAM to prompt for principal, in addition to the user and password which is the most general case. You could also change PAM to accept [EMAIL PROTECTED], then strip off the @realm and reset the pam_user before returning. But some applications that call PAM don't like to accept the fact that PAM has changed the user name. > > Is it possible to get a "multi"-realm setup like this to work? Any > pointers? Yes. > > It would be nice to be able to specify a map to the kerberos client: > > Jk = [EMAIL PROTECTED] > Test = [EMAIL PROTECTED] Again a change to pam_krb5 to do the mapping. > > Or something like that. > > Jesper > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
