Initial Auth Realm Fall-back
Shawn M Emery
shawn.emery at oracle.com
Mon Aug 19 02:39:47 EDT 2013
Wanting to get feed-back on a proposal for initial authentication
through multiple realms when the user may not know which realm or domain
that they reside. This is key, given that client referrals do not work
unless a UPN suffix is provided. Currently this configuration is
augmented with the use of the realm option for pam_krb5, which is not
optimal given that pam_krb5 should not entail Kerberos configuration and
this solution does not support kinit/gic applications.
The proposed solution would be a white-list set of the possible realms
used on the authenticating system. For example:
$ cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = DEV.EXAMPLE.COM
fallback_realms = CORP.EXAMPLE.COM ACCT.EXAMPLE.COM
where user foo resides in the ACCT realm and the system has service keys
in the DEV realm. With this configuration when user foo authenticates
to the system the default realm DEV is tried. When DEV returns
KDC_ERR_C_PRINCIPAL_UNKNOWN, the new algorithm tries and fails with the
CORP realm request, and succeeds on the third request to the ACCT realm.
Shawn.
--
More information about the krbdev
mailing list