[30741] in Kerberos
Cross Realm Auth problems
daemon@ATHENA.MIT.EDU (jim.sifferle@tektronix.com)
Thu Feb 19 12:59:07 2009
From: <jim.sifferle@tektronix.com>
To: <kerberos@mit.edu>
Date: Thu, 19 Feb 2009 09:58:06 -0800
Message-ID: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All,
I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests. Here's what I'm hoping to accomplish:
- Default Realm = REALM1.COM
- Second Realm = REALM2.COM
- User1@REALM1.COM can authenticate as User1 or User1@REALM1.COM
- User2@REALM2.COM can authenticate as User2@REALM2.COM
- REALM1.COM and REALM2.COM are stripped during auth so that User1@REALM1.COM or User2@REALM2.COM are resolved to local UIDs User1 and User2
I can run kinit to get a ticket for either realm. I see the valid ticket with klist. I can authenticate as User1 or User2 against either realm when it's set to the default realm. I cannot login when the user string is User1@REALM1.COM or User2@REALM2.COM. I get an error from PAM saying "Invalid user User1@REALM1.COM..." I think because PAM expects User1@REALM1.COM to be a local UID.
I've looked through the man pages and some other info online. I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names. Any suggestions and help would be greatly appreciated.
Here is my current simple krb5.conf:
[libdefaults]
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = REALM1.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
Thanks,
Jim Sifferle
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
