[30743] in Kerberos
Re: Cross Realm Auth problems
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Feb 19 14:15:48 2009
Message-ID: <499DAFAE.6020609@anl.gov>
Date: Thu, 19 Feb 2009 13:14:54 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: jim.sifferle@tektronix.com
In-Reply-To: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
jim.sifferle@tektronix.com wrote:
> Hi All,
>
> I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests. Here's what I'm hoping to accomplish:
>
>
> - Default Realm = REALM1.COM
>
> - Second Realm = REALM2.COM
>
> - User1@REALM1.COM can authenticate as User1 or User1@REALM1.COM
>
> - User2@REALM2.COM can authenticate as User2@REALM2.COM
>
> - REALM1.COM and REALM2.COM are stripped during auth so that User1@REALM1.COM or User2@REALM2.COM are resolved to local UIDs User1 and User2
>
> I can run kinit to get a ticket for either realm. I see the valid ticket with klist. I can authenticate as User1 or User2 against either realm when it's set to the default realm. I cannot login when the user string is User1@REALM1.COM or User2@REALM2.COM. I get an error from PAM saying "Invalid user User1@REALM1.COM..." I think because PAM expects User1@REALM1.COM to be a local UID.
>
> I've looked through the man pages and some other info online. I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names. Any suggestions and help would be greatly appreciated.
>
What version of pam_krb5 are you using?
It may or may not accept a principal in place of a name. Some
versions of pam_krb5 can add an additional prompt to
prompt for the principal, so that the local user name does noit
have to match the principal, and can be fro a different realm.
Russ's version has the above feature and is in Debian:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
You also did not say if you created a host keytab and registered
the host in AD. pam_krb5 will try and get a service ticket
for the loccal host.
wil normally try and get a
> Here is my current simple krb5.conf:
>
> [libdefaults]
> clockskew = 300
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = REALM1.COM
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
>
> Thanks,
>
> Jim Sifferle
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
