Bill Shaver <[EMAIL PROTECTED]> wrote: > I need to add at least one more Kerberos realm (read MS Windows forest/AD) > back-end authentication store. (These MS Windows forests do not trust > each other.) On the radius server (computer), I can manually perform kinit > requests against each krb5 realm just fine. My problem is how do I get > freeradius (or PAM) to take the authentication request and direct it to > the correct Kerberos server/realm. It seems this should not be that hard, > I am probably missing something very basic.
That would depend on pam_krb5. If it doesn't describe how to do this, it probably can't. > -- I have looked into the rlm_krb, but have gotten nowhere (I can't > find it in the RPMs, and I can't get it to compile). If it's not in the RPM's, it's probably because the Kerberos on RH is different than the one in the module. You might try the latest CVS snapshot. The kerberos module may have been updated. > -- I have looked at (although not experimented with) LDAP authentication, > but it looks like I would have the same problem. I'm not sure why. You can have multiple instances of the LDAP module, each pointing to a different back-end. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html