Chris Penney wrote: > On 5/17/07, Douglas E. Engert <[EMAIL PROTECTED]> wrote: >> Whoses pam_krb5? Russ Allbery's has some extra options that might >> try both realms. > > > On 5/17/07, Markus Moeller <[EMAIL PROTECTED]> wrote: >> You need entries like (assuming that users are uniq over both domains >> and you have more users in LOC1.DOM.COM) >> other auth sufficient pam_krb5 REALM=LOC1.DOM.COM >> other auth sufficient pam_krb5 REALM=LOC2.DOM.COM
Note that the LOC1.DOM.COM AD logs may show a lot of failures for missing users or bad passwords, and may lock a user account. > > Ah! I see. I used the pam_krb5 that Douglas noted and the pam config > lines you noted and it works basically as intended. > > Do you still have to do this even if you add the system to AD via a > "User" account? Microsoft used a mis-leading term when they said to add the machine as a "user". You are adding a service principal for the machine into a realm. With AD that also means it needs an account, which looks like a "user" account, but in Kerberos terms has nothing to do with the user. So each user must be registered with a principal and (AD account), and each service must be registered with a principal and its own AD account). If you have cross realm setup then each user only needs to be in one realm, and each service only needs to be in one realm. You did not indicate that you have cross realm set up. i.e. the ADs have some cross domain trust. But if it works as intended, then it must. A klist would show an extra TGT like krbtgt/[EMAIL PROTECTED] > > Thanks! > > Chris > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
