>From the manual page: http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
realm=<realm> "If the obtained credentials are supposed to allow access to a shell account, the user will need an appropriate .k5login file entry or the system will have to have a custom aname_to_localname mapping. " Do you have the appropriate entries in .k5login? Or a custom aname_to_localname mapping (presumably in krb5.conf) ? <<CDC Markus Moeller <[EMAIL PROTECTED]> wrote: > Russ, > > I have a setup where I have two domains with trust and would like to > have users from either domain to login to my Unix machine to > applications which can't use GSSAPI so I need to use pam_krb5 to have > some form of SSO. My Unix system is in DOMAIN1.COM which is > configured to be the default domain in krb5.conf . I configured pam > (on Solaris 2.8) as follows: > > #authentication > other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug > other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 > realm=DOMAIN2.COM use_first_pass debug > other auth required pam_unix.so.1 try_first_pass debug > # account > other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug > other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 > realm=DOMAIN2.COM debug > other account required pam_unix.so.1 debug > # session > other session required pam_default.so.1 debug > > The problem I have is that despite setting the realm to DOMAIN2.COM > the system always tries to connect to kdcs of DOMAIN1.COM never > DOMAIN2.COM despite getting an unknown user from DOMAIN1 for users of > DOMAIN2 as it should be. It seems that the kerberos context of the > first pam_sm_authenticate call is still used for the second despite > changing the realm. > > Thanks > Markus > > BTW Is it intention to use different defines for the below ? > > # grep KRB5_GET_INIT *.[ch] > config.h:/* #undef HAVE_KRB5_GET_INIT_OPT_SET_DEFAULT_FLAGS */ > support.c:#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS > # > > > "Russ Allbery" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> I'm pleased to announce release 2.6 of my Kerberos v5 PAM module. >> This is a bug-fix release; the feature improvements that were >> intended to be in this release have been deferred to the next >> release. >> >> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or >> Heimdal. It supports ticket refreshing by screen savers, >> configurable authorization handling, authentication of non-local >> accounts for network services, password changing, and password >> expiration, as well as all the standard expected PAM features. It >> works correctly with OpenSSH, even with >> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and >> supports configuration either by PAM options or in krb5.conf or >> both. >> >> Changes from previous release: >> >> Don't assume the pointer set by pam_get_user is usable over the >> life of the PAM module; instead, save a local copy. >> >> Avoid a use of already freed memory when debugging is enabled. >> >> Use __func__ instead of __FUNCTION__ and provide a fallback for >> older versions of gcc and for systems that support neither. >> Should fix compilation issues with Sun's C compiler. >> >> On platforms where we know the appropriate compiler flags, try to >> build the module so that symbols are resolved within the module in >> preference to any externally available symbols. Also add the >> hopefully correct compiler flags for Sun's C compiler. >> >> You can download it from: >> >> <http://www.eyrie.org/~eagle/software/pam-krb5/> >> >> Debian packages will be uploaded to Debian unstable once I have >> approval from the release managers. >> >> Please let me know of any problems or feature requests not already >> listed in the TODO file. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
