Linux : krb5 and pam
Quinten
quinten at xs4all.nl
Wed Mar 29 18:21:04 EST 2006
Hello,
Our environment is currently using 2 AD/realms. I am trying to set up
a RHEL3 host to authenticate users from both realms. If the
default_realm in /etc/krb5.conf is set to one realm, the users in the
other realm cannot authenticate and vice versa. So there is no issue on
any settings, they just seem unable to coexist.
The pam_krb5.so module in /etc/pam.d/system-auth is set to
"sufficient". I have tried to add another entry:
account sufficient /lib/security/$ISA/pam_krb5.so.0
account sufficient /lib/security/$ISA/pam_krb5.so.0\
realm=not.my.default
But when I try to authenticate as a user from the non-default domain I
get an error that the user cannot be found in the Kerberos database.
Users from the default_realm are able to authenticate. It seems the
stack stops at the first entry and returns a status OK to PAM when it is
executed. The pam_krb5 module itself however does not attempt to try the
other realm as defined in /etc/krb5.conf. There is a similar setup we
have on Solaris hosts that does actually work.
I am not quite sure whether this is a PAM or a pam_krb5 issue. Does
anyone have any suggestions or ideas how to solve this?
Thanks so far,
Quinten
More information about the Kerberos
mailing list