Markus Moeller wrote:
> Russ, > > I have a setup where I have two domains with trust and would like to have > users from either domain to login to my Unix machine to applications which > can't use GSSAPI so I need to use pam_krb5 to have some form of SSO. My Unix > system is in DOMAIN1.COM which is configured to be the default domain in > krb5.conf . I configured pam (on Solaris 2.8) as follows: > > #authentication > other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug > other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 > realm=DOMAIN2.COM use_first_pass debug Can you actually call this twice? Some version of pam_krb5 would call pam_set_data(...."ctx"...) and overlay (or use) the pam_krb5 context set by the first one. (Don't know about 2.6.) You could add a ctx_name option, so multiple invocations would use different ctx's. > other auth required pam_unix.so.1 try_first_pass debug > # account > other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug > other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 > realm=DOMAIN2.COM debug > other account required pam_unix.so.1 debug > # session > other session required pam_default.so.1 debug > > The problem I have is that despite setting the realm to DOMAIN2.COM the > system always tries to connect to kdcs of DOMAIN1.COM never DOMAIN2.COM > despite getting an unknown user from DOMAIN1 for users of DOMAIN2 as it > should be. It seems that the kerberos context of the first > pam_sm_authenticate call is still used for the second despite changing the > realm. > > Thanks > Markus > > BTW Is it intention to use different defines for the below ? > > # grep KRB5_GET_INIT *.[ch] > config.h:/* #undef HAVE_KRB5_GET_INIT_OPT_SET_DEFAULT_FLAGS */ > support.c:#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS > # > > > "Russ Allbery" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > >>I'm pleased to announce release 2.6 of my Kerberos v5 PAM module. This is >>a bug-fix release; the feature improvements that were intended to be in >>this release have been deferred to the next release. >> >>pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. >>It supports ticket refreshing by screen savers, configurable authorization >>handling, authentication of non-local accounts for network services, >>password changing, and password expiration, as well as all the standard >>expected PAM features. It works correctly with OpenSSH, even with >>ChallengeResponseAuthentication and PrivilegeSeparation enabled, and >>supports configuration either by PAM options or in krb5.conf or both. >> >>Changes from previous release: >> >> Don't assume the pointer set by pam_get_user is usable over the life >> of the PAM module; instead, save a local copy. >> >> Avoid a use of already freed memory when debugging is enabled. >> >> Use __func__ instead of __FUNCTION__ and provide a fallback for older >> versions of gcc and for systems that support neither. Should fix >> compilation issues with Sun's C compiler. >> >> On platforms where we know the appropriate compiler flags, try to >> build the module so that symbols are resolved within the module in >> preference to any externally available symbols. Also add the >> hopefully correct compiler flags for Sun's C compiler. >> >>You can download it from: >> >> <http://www.eyrie.org/~eagle/software/pam-krb5/> >> >>Debian packages will be uploaded to Debian unstable once I have approval >>from the release managers. >> >>Please let me know of any problems or feature requests not already listed >>in the TODO file. >> >>-- >>Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > > > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
