AD, pam and Kerberos?

JK (Jesper Agerbo Krogh) JK at novozymes.com
Mon Aug 14 09:47:42 EDT 2006


Hi All. 

We have a setup with several Active Directory domains that individually
trusts 
each other. Each domain translates into each own Kerberos REALM as far
as I'm understanding the systems. 

But prinicipals are unique across the realms. Thus if jk at realm1 exixts,
then 
It doesn't exist in the other realms. 

I'd like to use kerberos for the password lookup in the Linux system
using pam. This
Works fine with one "realm" but since the system only looks up users in
the "default realm" I cannot validate users from the other realms. 

(This is pam for login on Linux Server/Workstations)

Is it possible to get a "multi"-realm setup like this to work? Any
pointers? 

It would be nice to be able to specify a map to the kerberos client:

Jk = jk at realm1
Test = test at realm2 

Or something like that. 

Jesper




More information about the Kerberos mailing list