Solaris pam_krb5 uses root/<instance>@<REALM>

[Wyllys Ingersoll]

Its hardcoded into our PAM module that if the user is "root", then it
looks for root/<host>@REALM, I dont think there is a workaround
for it unless you switch to a different pam_krb5 module.

This is a security "feature", we prefer that the root principal be unique to
each host rather than global to the realm.   Thus the root principal for
one host is not automatically associated with the root user on the other
hosts on the network.  Also this allows for each host to have a different
password associated with its root principal.

-Wyllys

Frederico S. Munoz wrote:
> Hello all,
> 
> I'm deploying a Kerberos V Realm in a mixed Unix environment (HP-UX,
> Solaris, GNU/Linux and AIX). By now I have most things sorted out and
> both Kerberos and LDAP are functioning quite well.
> 
> I have this small problem though: all machines, when using pam_krb5, try
> to authenticate a "root" user using root@<REALM>, except Solaris.
> Solaris, only with the root login, tries to auth root/<host>@<REALM>.
> 
> In the end I will probably not even use a generic root principal, so
> it's not that big a problem. I would however like to konw if someone
> else had this behaviour and was able to change it.
> 
> Best Regards,
> 
> 
> fsmunoz