Cross Realm Auth problems
jim.sifferle@tektronix.com
jim.sifferle at tektronix.com
Thu Feb 19 15:16:54 EST 2009
deengert at anl.gov wrote:
> What version of pam_krb5 are you using?
> It may or may not accept a principal in place of a name. Some
> versions of pam_krb5 can add an additional prompt to
> prompt for the principal, so that the local user name does noit
> have to match the principal, and can be fro a different realm.
> Russ's version has the above feature and is in Debian:
> <http://www.eyrie.org/~eagle/software/pam-krb5/>
I'm using the default pam_krb5 that comes with CentOS 5.2... 2.2.14. I take it that I will need to update to 3.13 to get this added feature to prompt for principal? I'll have to hunt for a RHEL/CentOS compatible RPM or build one myself.
> You also did not say if you created a host keytab and registered
> the host in AD. pam_krb5 will try and get a service ticket
> for the loccal host.
I did not create a keytab, nor have I registered the host in AD. I was under the impression that I didn't need to unless I wanted to use other features such as password changes. The use case I'm dealing with doesn't require this feature. Am I incorrect in saying I don't need a keytab or to add the client host to AD in this case?
Thanks for your help,
Jim
More information about the Kerberos
mailing list