[30744] in Kerberos
RE: Cross Realm Auth problems
daemon@ATHENA.MIT.EDU (jim.sifferle@tektronix.com)
Thu Feb 19 15:17:57 2009
From: <jim.sifferle@tektronix.com>
To: <deengert@anl.gov>
Date: Thu, 19 Feb 2009 12:16:54 -0800
Message-ID: <95948F47ECC185449EE89E2CC4F7C6EC22860568DF@us-bv-m10.global.tektronix.net>
In-Reply-To: <499DAFAE.6020609@anl.gov>
Content-Language: en-US
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
deengert@anl.gov wrote:
> What version of pam_krb5 are you using?
> It may or may not accept a principal in place of a name. Some
> versions of pam_krb5 can add an additional prompt to
> prompt for the principal, so that the local user name does noit
> have to match the principal, and can be fro a different realm.
> Russ's version has the above feature and is in Debian:
> <http://www.eyrie.org/~eagle/software/pam-krb5/>
I'm using the default pam_krb5 that comes with CentOS 5.2... 2.2.14. I take it that I will need to update to 3.13 to get this added feature to prompt for principal? I'll have to hunt for a RHEL/CentOS compatible RPM or build one myself.
> You also did not say if you created a host keytab and registered
> the host in AD. pam_krb5 will try and get a service ticket
> for the loccal host.
I did not create a keytab, nor have I registered the host in AD. I was under the impression that I didn't need to unless I wanted to use other features such as password changes. The use case I'm dealing with doesn't require this feature. Am I incorrect in saying I don't need a keytab or to add the client host to AD in this case?
Thanks for your help,
Jim
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
