AD, pam and Kerberos?

Konstantin Kunshchikov kvk at
Fri Aug 18 08:37:21 EDT 2006

For the multi-realm setup with the Active Directory only you can look at 
the samba winbindd.
It do the same thing as nss_ldap/pam_krb5 and also can be easily 
configured on "DOMAIN+Username" user names.


JK (Jesper Agerbo Krogh) wrote:
> Hi All. 
> We have a setup with several Active Directory domains that individually
> trusts 
> each other. Each domain translates into each own Kerberos REALM as far
> as I'm understanding the systems. 
> But prinicipals are unique across the realms. Thus if jk at realm1 exixts,
> then 
> It doesn't exist in the other realms. 
> I'd like to use kerberos for the password lookup in the Linux system
> using pam. This
> Works fine with one "realm" but since the system only looks up users in
> the "default realm" I cannot validate users from the other realms. 
> (This is pam for login on Linux Server/Workstations)
> Is it possible to get a "multi"-realm setup like this to work? Any
> pointers? 
> It would be nice to be able to specify a map to the kerberos client:
> Jk = jk at realm1
> Test = test at realm2 
> Or something like that. 
> Jesper
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list