> -----Original Message-----
>
> I've tried to use the pam_krb5 module, but as pam modules
> validate the user as given, pam_krb5 is trying to match the
> password to [EMAIL PROTECTED] so it fails.
>
Pam_krb5 can be configured to convert winbind usernames back into
principal names, by means of some regexp matching and template filling
magic. It it 'underdocumented' - perhaps you even need to grab the
source RPM and look there? I can't remember where I found out about it.
I have pam_krb5 2.1.8-1 working very nicely. Here's the excerpt from my
/etc/krb5.conf:
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
mappings = RILINUX-(.*) [EMAIL PROTECTED] RILINUXEU-(.*)
[EMAIL PROTECTED]
}
The 'mappings' is a set of regexp-template pairs. In my example,
usernames that start with
RILINUX- are mapped into principals in RILINUX.COM, usernames in
RILINUXEU- are mapped into the
EU.RILINUX.COM realm.
If you have lots of domains you can do things like (untested):
mappings = RILINUX([^-]+)-(.*) [EMAIL PROTECTED]
So RILINUXEU-foo -> [EMAIL PROTECTED]
RILINUXANYOLDJUNK-nobody ->
[EMAIL PROTECTED]
Bob G
_____________________________________________________________
This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please
advise us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently
confirmed in writing. If this email contains an offer, that should be
considered as an invitation to treat.
_____________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
