AD, pam and Kerberos?

Douglas E. Engert deengert at anl.gov
Mon Aug 14 10:49:22 EDT 2006 


JK (Jesper Agerbo Krogh) wrote:

> Hi All. 
> 
> We have a setup with several Active Directory domains that individually
> trusts 
> each other. Each domain translates into each own Kerberos REALM as far
> as I'm understanding the systems. 

Yes.

> 
> But prinicipals are unique across the realms. Thus if jk at realm1 exixts,
> then 
> It doesn't exist in the other realms. 

By convention, realm names are unique as they are derived fom DNS
names that principal names are also unique. But if you mean  the
CN or samAccountName in AD in a forest, then these are unique in
the forest. Note that the UPN of an AD account does not have to match
the CN.

> 
> I'd like to use kerberos for the password lookup in the Linux system
> using pam. This
> Works fine with one "realm" but since the system only looks up users in
> the "default realm" I cannot validate users from the other realms. 
> 
> (This is pam for login on Linux Server/Workstations)

Problem is PAM is under specified, expecting the user to give
the local user account name, and some password. When used with
Kerberos, you need the principal, user at realm where user may not match
the local user account name.

You could change PAM to prompt for principal, in addition to the
user and password which is the most general case.

You could also change PAM to accept user at realm, then strip off the
@realm and reset the pam_user before returning. But some applications
that call PAM don't like to accept the fact that PAM has changed the
user name.

> 
> Is it possible to get a "multi"-realm setup like this to work? Any
> pointers? 

Yes.

> 
> It would be nice to be able to specify a map to the kerberos client:
> 
> Jk = jk at realm1
> Test = test at realm2 

Again a change to pam_krb5 to do the mapping.

> 
> Or something like that. 
> 
> Jesper
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list