Cross Realm Auth problems
Douglas E. Engert
deengert at anl.gov
Thu Feb 19 14:14:54 EST 2009
jim.sifferle at tektronix.com wrote:
> Hi All,
>
> I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests. Here's what I'm hoping to accomplish:
>
>
> - Default Realm = REALM1.COM
>
> - Second Realm = REALM2.COM
>
> - User1 at REALM1.COM can authenticate as User1 or User1 at REALM1.COM
>
> - User2 at REALM2.COM can authenticate as User2 at REALM2.COM
>
> - REALM1.COM and REALM2.COM are stripped during auth so that User1 at REALM1.COM or User2 at REALM2.COM are resolved to local UIDs User1 and User2
>
> I can run kinit to get a ticket for either realm. I see the valid ticket with klist. I can authenticate as User1 or User2 against either realm when it's set to the default realm. I cannot login when the user string is User1 at REALM1.COM or User2 at REALM2.COM. I get an error from PAM saying "Invalid user User1 at REALM1.COM..." I think because PAM expects User1 at REALM1.COM to be a local UID.
>
> I've looked through the man pages and some other info online. I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names. Any suggestions and help would be greatly appreciated.
>
What version of pam_krb5 are you using?
It may or may not accept a principal in place of a name. Some
versions of pam_krb5 can add an additional prompt to
prompt for the principal, so that the local user name does noit
have to match the principal, and can be fro a different realm.
Russ's version has the above feature and is in Debian:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
You also did not say if you created a host keytab and registered
the host in AD. pam_krb5 will try and get a service ticket
for the loccal host.
wil normally try and get a
> Here is my current simple krb5.conf:
>
> [libdefaults]
> clockskew = 300
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = REALM1.COM
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
>
> Thanks,
>
> Jim Sifferle
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list