AD, pam and Kerberos?
Douglas E. Engert
deengert at anl.gov
Mon Aug 14 10:49:22 EDT 2006
JK (Jesper Agerbo Krogh) wrote:
> Hi All.
> We have a setup with several Active Directory domains that individually
> each other. Each domain translates into each own Kerberos REALM as far
> as I'm understanding the systems.
> But prinicipals are unique across the realms. Thus if jk at realm1 exixts,
> It doesn't exist in the other realms.
By convention, realm names are unique as they are derived fom DNS
names that principal names are also unique. But if you mean the
CN or samAccountName in AD in a forest, then these are unique in
the forest. Note that the UPN of an AD account does not have to match
> I'd like to use kerberos for the password lookup in the Linux system
> using pam. This
> Works fine with one "realm" but since the system only looks up users in
> the "default realm" I cannot validate users from the other realms.
> (This is pam for login on Linux Server/Workstations)
Problem is PAM is under specified, expecting the user to give
the local user account name, and some password. When used with
Kerberos, you need the principal, user at realm where user may not match
the local user account name.
You could change PAM to prompt for principal, in addition to the
user and password which is the most general case.
You could also change PAM to accept user at realm, then strip off the
@realm and reset the pam_user before returning. But some applications
that call PAM don't like to accept the fact that PAM has changed the
> Is it possible to get a "multi"-realm setup like this to work? Any
> It would be nice to be able to specify a map to the kerberos client:
> Jk = jk at realm1
> Test = test at realm2
Again a change to pam_krb5 to do the mapping.
> Or something like that.
> Kerberos mailing list Kerberos at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos