[32198] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Multi REALM krb config file.

daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Mar 29 15:51:15 2010

From: Russ Allbery <rra@stanford.edu>
To: Techie <techchavez@gmail.com>
In-Reply-To: <dc3ecf561003291120o1acc9219r2b356077337b7a39@mail.gmail.com>
	(Techie's message of "Mon, 29 Mar 2010 11:20:49 -0700")
Date: Mon, 29 Mar 2010 12:51:10 -0700
Message-ID: <878w9agb4h.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Techie <techchavez@gmail.com> writes:

> Good point.. By it I mean this..
> I have an LDAP setup with all users contained within the tree.
> However these users are broken into 4 KRB REALMS.
> I use pam_krb5 for authentication and it works for the default realm.
> Do you have any links describing how to setup pam_krb5 for multi
> realm? This is basically what I am chasing.

There are two ways to do it.  One is to stack multiple invocations of
pam_krb5 with multiple realms:

    auth sufficient pam_krb5.so realm=FOO.EXAMPLE.COM
    auth sufficient pam_krb5.so realm=BAR.EXAMPLE.COM use_first_pass
    auth sufficient pam_krb5.so realm=BAZ.EXAMPLE.COM use_first_pass
    auth required   pam_unix.so try_first_pass

You will need to either have an appropriate aname_to_localname mapping in
your krb5.conf or you'll need to add .k5login files to user home
directories listing the valid principals allowed to authorize to that
account (or, if you're using Heimdal, list all of the realms as default
realms so that they're all local -- I don't think MIT supports this).

Alternately, if you have the .k5login files anyway, you can just do one
invocation of pam_krb5:

    auth sufficient pam_krb5.so search_k5login
    auth required   pam_unix.so try_first_pass

and it will attempt authentication to each principal listed in .k5login.

Note that in both cases you'll need to be using my pam-krb5 module, not
(for instance) the one from Red Hat.  (Well, the first may work with that;
I've never tried it.)

> Can you please elaborate on what you mean by server referral? Do you
> mean server referral as in LDAP server referrals or as in a referral to
> another KDC for authentication? May be a dumb question..I know LDAP
> server referrals are possible but don't know if KRB allows it.

It's something akin to that, yes, although over the Kerberos protocol
instead of the LDAP protocol.  I've never configured this for anything
other than domain_realm mappings for host-based principals, so I can't
tell you how to do it for AS-REQs for users or even if it's currently
possible in that case.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post