authenticating to AD from linux login

Douglas E. Engert deengert at anl.gov
Wed May 5 10:45:08 EDT 2004 

Check out this power point presentation from 1996 on Cross Realm
authentication. Its refering to interoperating with DCE which we don't
have any more, but the Kerberos concepts are still there. 
 

 ftp://achilles.ctd.anl.gov/pub/DEE/dcesig4.ppt  

melissa_benkyo wrote:
> 
> I think I might have it figured out. It might not really be an ldap
> issue but a kerberos setup issue. Here is the scenario guys. I'm quite
> confused about domains/realms. I have 2 AD (lets say AD1 and AD2) I
> have a linux machine belonging to AD1. so it means I have linux.AD1.
> But I want to authenticate from linux using a user in AD2. So I
> created a keytab for linux machine on AD2. and I set up the
> [domain_realm] on the linux machine as so .AD1 = AD1, AD1 = AD1,
> .linux.AD1 = AD1, linux.AD1= AD1. I tried different combinations. I'm
> not sure what is the right approach. Do you think that I couldn't
> login any user local and AD2 users because it couldn't access the
> linux keytab? logs aren't showing anything useful.

SOunds like you are trying to put the host in two realms, where as you
don't need to do this if you use cross realm correctly.

Especially note slides 5, 6, 7 and 23. 

> 
> any help is much appreciated. thanks!
> 
> wyl_lyf at yahoo.com (melissa_benkyo) wrote in message news:<304f3217.0405040738.523190a5 at posting.google.com>...
> > hello all,
> >
> > I have a weird problem with authentication to active directory from my
> > linux box using kerberos. I'm using pam_krb5 to do the authentication
> > and looking up the uid/gid through ldap meaning I do not have an entry
> > in the /etc/passwd file.  I am able to see the entry from active
> > directory when I do a getent passwd but when I try to login. I
> > couldn't login and even the local users couldn't login. yikeS! that
> > would be a problem. hehehe :D
> >
> > so any ideas? what could be the problem? I'm thinking in these
> > directions:
> > 1) pam side: I think these are okay since if I add an entry in the
> > /etc/password to indicate to use kerberos then it will authenticate.
> > 2) ldap side: more so this problem i would think. BUt I'm not sure
> > what exactly. is there any additional setup for ldap in pam.conf?
> > should I add pam_ldap? I modified the nsswitch.conf. what else does it
> > want from meeee? hehehe :D
> >
> > well, any insight is much appreciated. thanks!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list