Hi All, I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests. Here's what I'm hoping to accomplish:
- Default Realm = REALM1.COM - Second Realm = REALM2.COM - [email protected] can authenticate as User1 or [email protected] - [email protected] can authenticate as [email protected] - REALM1.COM and REALM2.COM are stripped during auth so that [email protected] or [email protected] are resolved to local UIDs User1 and User2 I can run kinit to get a ticket for either realm. I see the valid ticket with klist. I can authenticate as User1 or User2 against either realm when it's set to the default realm. I cannot login when the user string is [email protected] or [email protected]. I get an error from PAM saying "Invalid user [email protected]..." I think because PAM expects [email protected] to be a local UID. I've looked through the man pages and some other info online. I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names. Any suggestions and help would be greatly appreciated. Here is my current simple krb5.conf: [libdefaults] clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = true default_realm = REALM1.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks, Jim Sifferle ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
