[email protected] wrote:
> Hi All,
>
> I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate
> against two AD forests. Here's what I'm hoping to accomplish:
>
>
> - Default Realm = REALM1.COM
>
> - Second Realm = REALM2.COM
>
> - [email protected] can authenticate as User1 or [email protected]
>
> - [email protected] can authenticate as [email protected]
>
> - REALM1.COM and REALM2.COM are stripped during auth so that
> [email protected] or [email protected] are resolved to local UIDs User1 and
> User2
>
> I can run kinit to get a ticket for either realm. I see the valid ticket
> with klist. I can authenticate as User1 or User2 against either realm when
> it's set to the default realm. I cannot login when the user string is
> [email protected] or [email protected]. I get an error from PAM saying
> "Invalid user [email protected]..." I think because PAM expects
> [email protected] to be a local UID.
>
> I've looked through the man pages and some other info online. I think the
> auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or
> .k5login might be part of the solution, but the various configurations I've
> tried have all failed with the PAM Invalid User error for fully qualified
> user names. Any suggestions and help would be greatly appreciated.
>
What version of pam_krb5 are you using?
It may or may not accept a principal in place of a name. Some
versions of pam_krb5 can add an additional prompt to
prompt for the principal, so that the local user name does noit
have to match the principal, and can be fro a different realm.
Russ's version has the above feature and is in Debian:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
You also did not say if you created a host keytab and registered
the host in AD. pam_krb5 will try and get a service ticket
for the loccal host.
wil normally try and get a
> Here is my current simple krb5.conf:
>
> [libdefaults]
> clockskew = 300
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = REALM1.COM
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
>
> Thanks,
>
> Jim Sifferle
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
