[32598] in Kerberos
Re: pam_krb5 question on multiple user realms
daemon@ATHENA.MIT.EDU (Nalin Dahyabhai)
Tue Aug 24 17:16:48 2010
Date: Tue, 24 Aug 2010 17:16:35 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: SANDERS Miguel <miguel.sanders@arcelormittal.com>
Message-ID: <20100824211635.GC4183@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206015EE1E9@GEN-MXB-V04.msad.arcelor.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Aug 24, 2010 at 07:56:32PM +0200, SANDERS Miguel wrote:
> I'm currently experimenting with pam_krb5 (2.3.1-47.10.15).
> My setup consists of three realms, of which 1 contains service
> principals (A.COM) and the other two (B.COM and C.COM) are AD domains
> providing user principals. The default realm for our Linux box is A.COM
> but we would like to allow users from B.COM and C.COM to access our
> machine (the users are mapped properly using auth_to_local in
> krb5.conf).
> However there's one thing that I can't find out: is it possible to
> provide multiple user realms in the PAM configuration file, f.e.
>
> auth sufficient pam_krb5.so realm=B.COM -> works ok for users in
> B.COM accessing our domains
> ---
> auth sufficient pam_krb5.so realm=C.COM -> works ok for users in
> C.COM accessing our domains
> ---
> auth sufficient pam_krb5.so realm=B.COM realm=C.COM -> doesn't
> work...
>
> Any ideas on how this can be achieved.
If the users names match a regular expression (which is common if you're
using winbind), then they can be mapped to principal names using the
'mappings' option.
Otherwise, you can invoke the module twice, once for each realm, with
each invocation marked "sufficient":
auth sufficient pam_krb5.so realm=B.COM
auth sufficient pam_krb5.so realm=C.COM
HTH,
Nalin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
