Cross Realm Auth problems

jim.sifferle@tektronix.com jim.sifferle at tektronix.com
Thu Feb 19 12:58:06 EST 2009


Hi All,

I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests.  Here's what I'm hoping to accomplish:


-          Default Realm = REALM1.COM

-          Second Realm = REALM2.COM

-          User1 at REALM1.COM can authenticate as User1 or User1 at REALM1.COM

-          User2 at REALM2.COM can authenticate as User2 at REALM2.COM

-          REALM1.COM and REALM2.COM are stripped during auth so that User1 at REALM1.COM or User2 at REALM2.COM are resolved to local UIDs User1 and User2

I can run kinit to get a ticket for either realm.  I see the valid ticket with klist.  I can authenticate as User1 or User2 against either realm when it's set to the default realm.  I cannot login when the user string is User1 at REALM1.COM or User2 at REALM2.COM.  I get an error from PAM saying "Invalid user User1 at REALM1.COM..." I think because PAM expects User1 at REALM1.COM to be a local UID.

I've looked through the man pages and some other info online.  I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names.  Any suggestions and help would be greatly appreciated.

Here is my current simple krb5.conf:

[libdefaults]
 clockskew     = 300
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_realm = REALM1.COM

[appdefaults]
 pam = {
  ticket_lifetime    = 1d
  renew_lifetime     = 1d
  forwardable        = true
  proxiable          = false
  retain_after_close = false
  minimum_uid        = 0
 }

Thanks,

Jim Sifferle





More information about the Kerberos mailing list