On 08/11/2015 09:39 AM, Daniel Fussell wrote: > On 08/10/2015 09:47 PM, Michael Torrie wrote: >> [1] In case anyone is curious, an easy way to do this is by making the >> kerberos principals be something like "username/admin@DOMAIN", and >> then telling the local admin account to allow logins from >> */admin@DOMAIN. That way the local account needn't be modified when >> other principals are created or deleted. > > I tried using */admin@DOMAIN with .k5login to map admin users to a local > admin account, but it turns out wildcards aren't supported in .k5login. > How did you set it up with pam and nss to do the mapping?
I don't have access to any machines that I set up anymore, but I recall using wildards in .k5login and it worked just fine. This was on RHEL6 machines. Except for enabling Kerberos through the RH authconfig utility (which sets up pam_krb5), I didn't make any changes to pam or nss. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
