"Christopher D. Clausen" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > >From the manual page: > http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html > > realm=<realm> > "If the obtained credentials are supposed to allow access to a shell > account, the user will need an appropriate .k5login file entry or the > system will have to have a custom aname_to_localname mapping. " > > Do you have the appropriate entries in .k5login? Or a custom > aname_to_localname mapping (presumably in krb5.conf) ? > > <<CDC
That would be the second step after auth which I didn't pass as pam_krb5 never send an AS-REQ to DOMAIN2.COM's kdc Markus > > Markus Moeller <[EMAIL PROTECTED]> wrote: >> Russ, >> >> I have a setup where I have two domains with trust and would like to >> have users from either domain to login to my Unix machine to >> applications which can't use GSSAPI so I need to use pam_krb5 to have >> some form of SSO. My Unix system is in DOMAIN1.COM which is >> configured to be the default domain in krb5.conf . I configured pam >> (on Solaris 2.8) as follows: >> >> #authentication >> other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug >> other auth sufficient pam_krb5-2.6.so.1 minimum_uid=100 >> realm=DOMAIN2.COM use_first_pass debug >> other auth required pam_unix.so.1 try_first_pass debug >> # account >> other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 debug >> other account sufficient pam_krb5-2.6.so.1 minimum_uid=100 >> realm=DOMAIN2.COM debug >> other account required pam_unix.so.1 debug >> # session >> other session required pam_default.so.1 debug >> >> The problem I have is that despite setting the realm to DOMAIN2.COM >> the system always tries to connect to kdcs of DOMAIN1.COM never >> DOMAIN2.COM despite getting an unknown user from DOMAIN1 for users of >> DOMAIN2 as it should be. It seems that the kerberos context of the >> first pam_sm_authenticate call is still used for the second despite >> changing the realm. >> >> Thanks >> Markus >> >> BTW Is it intention to use different defines for the below ? >> >> # grep KRB5_GET_INIT *.[ch] >> config.h:/* #undef HAVE_KRB5_GET_INIT_OPT_SET_DEFAULT_FLAGS */ >> support.c:#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS >> # >> >> >> "Russ Allbery" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >>> I'm pleased to announce release 2.6 of my Kerberos v5 PAM module. >>> This is a bug-fix release; the feature improvements that were >>> intended to be in this release have been deferred to the next >>> release. >>> >>> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or >>> Heimdal. It supports ticket refreshing by screen savers, >>> configurable authorization handling, authentication of non-local >>> accounts for network services, password changing, and password >>> expiration, as well as all the standard expected PAM features. It >>> works correctly with OpenSSH, even with >>> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and >>> supports configuration either by PAM options or in krb5.conf or >>> both. >>> >>> Changes from previous release: >>> >>> Don't assume the pointer set by pam_get_user is usable over the >>> life of the PAM module; instead, save a local copy. >>> >>> Avoid a use of already freed memory when debugging is enabled. >>> >>> Use __func__ instead of __FUNCTION__ and provide a fallback for >>> older versions of gcc and for systems that support neither. >>> Should fix compilation issues with Sun's C compiler. >>> >>> On platforms where we know the appropriate compiler flags, try to >>> build the module so that symbols are resolved within the module in >>> preference to any externally available symbols. Also add the >>> hopefully correct compiler flags for Sun's C compiler. >>> >>> You can download it from: >>> >>> <http://www.eyrie.org/~eagle/software/pam-krb5/> >>> >>> Debian packages will be uploaded to Debian unstable once I have >>> approval from the release managers. >>> >>> Please let me know of any problems or feature requests not already >>> listed in the TODO file. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
