Linux : krb5 and pam

Quinten quinten at
Wed Mar 29 18:21:04 EST 2006


  Our environment is currently using 2 AD/realms. I am trying to set up 
a RHEL3 host to authenticate users from both realms. If the 
default_realm in /etc/krb5.conf is set to one realm, the users in the 
other realm cannot authenticate and vice versa. So there is no issue on 
any settings, they just seem unable to coexist.

  The module in /etc/pam.d/system-auth is set to 
"sufficient". I have tried to add another entry:

account   sufficient   /lib/security/$ISA/
account   sufficient   /lib/security/$ISA/\

But when I try to authenticate as a user from the non-default domain I 
get an error that the user cannot be found in the Kerberos database. 
Users from the default_realm are able to authenticate. It seems the 
stack stops at the first entry and returns a status OK to PAM when it is 
executed. The pam_krb5 module itself however does not attempt to try the 
other realm as defined in /etc/krb5.conf. There is a similar setup we 
have on Solaris hosts that does actually work.

I am not quite sure whether this is a PAM or a pam_krb5 issue. Does 
anyone have any suggestions or ideas how to solve this?

Thanks so far,


More information about the Kerberos mailing list