pam_krb5 question on multiple user realms
Nalin Dahyabhai
nalin at redhat.com
Tue Aug 24 17:16:35 EDT 2010
On Tue, Aug 24, 2010 at 07:56:32PM +0200, SANDERS Miguel wrote:
> I'm currently experimenting with pam_krb5 (2.3.1-47.10.15).
> My setup consists of three realms, of which 1 contains service
> principals (A.COM) and the other two (B.COM and C.COM) are AD domains
> providing user principals. The default realm for our Linux box is A.COM
> but we would like to allow users from B.COM and C.COM to access our
> machine (the users are mapped properly using auth_to_local in
> krb5.conf).
> However there's one thing that I can't find out: is it possible to
> provide multiple user realms in the PAM configuration file, f.e.
>
> auth sufficient pam_krb5.so realm=B.COM -> works ok for users in
> B.COM accessing our domains
> ---
> auth sufficient pam_krb5.so realm=C.COM -> works ok for users in
> C.COM accessing our domains
> ---
> auth sufficient pam_krb5.so realm=B.COM realm=C.COM -> doesn't
> work...
>
> Any ideas on how this can be achieved.
If the users names match a regular expression (which is common if you're
using winbind), then they can be mapped to principal names using the
'mappings' option.
Otherwise, you can invoke the module twice, once for each realm, with
each invocation marked "sufficient":
auth sufficient pam_krb5.so realm=B.COM
auth sufficient pam_krb5.so realm=C.COM
HTH,
Nalin
More information about the Kerberos
mailing list