[32509] in Kerberos

home help back first fref pref prev next nref lref last post

pam_krb5 questions

daemon@ATHENA.MIT.EDU (Techie)
Thu Jul 15 15:15:15 2010

MIME-Version: 1.0
Date: Thu, 15 Jul 2010 12:15:05 -0700
Message-ID: <AANLkTikWNaywCBbPMQEOzzukXPscff0EkHSVmCL6Yu1k@mail.gmail.com>
From: Techie <techchavez@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi,

This question is actually regarding both the RHEL pam_krb5 and the
Debian or Russ's pam_krb5. What I am trying to do is to have krb5
principals login via ssh and authenticate to a local acount.
so principal joejohnson@EXAMPLE.COM should be authenticated as local
account joe on the local box. I should mention that the host does not
have a keytab but I am simply trying to authenticate via ssh. I can
authenticate perfectly if the principal matches the local account.

Now I see that the krb5.conf allows for something like this.. But it
does not work..Auth fails and I get an error that joe@EXAMPLE.COM is
not found in the database. It is not mapping joejohnson@EXAMPLE.COM to
joe...It's trying joe@EXAMPLE.COM which won't work. THis is true on
RHEL and Debian.

[REALMS]
       EXAMPLE.COM = {
               auth_to_local_names = {
                   joejohnson = joe
                }
       }

However, If I put this in appdefaults and add a .k5login with
joejohnson@EXAMPLE.COM in /home/joe, I can login via ssh fine.. This
is only with Debian!!,  RHEL still fails.

[appdefaults]
              forwardable = true
              pam = {
                minimum_uid = 100
                 EXAMPLE.COM = {
                      search_k5login = true
                  }
              }

But I'd rather use auth_to_local_names or auth_to_local with a
regex..A .k5login for every user may get tedious but I can deal if I
have to.
Now the RedHat krb5.conf man page states that I can use these
auth_to_local parameters but as I said it still looks for the
joe@EXAMPLE.COM entry and not the joejohnson@EXAMPLE.COM entry... What
am I doing wrong. Also it seems that the RHEL pam_krb5 does not
support "search_k5login", is that accurate?

What is the suggested method here for mapping principals with unlike
local account names using both RHEL and Debian pam_krb? I must be
doing something incorrectly so any help is appreciated.


Thanks
TC
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post