Hi,
This question is actually regarding both the RHEL pam_krb5 and the
Debian or Russ's pam_krb5. What I am trying to do is to have krb5
principals login via ssh and authenticate to a local acount.
so principal joejohn...@example.com should be authenticated as local
account joe on the local box. I should mention that the host does not
have a keytab but I am simply trying to authenticate via ssh. I can
authenticate perfectly if the principal matches the local account.
Now I see that the krb5.conf allows for something like this.. But it
does not work..Auth fails and I get an error that j...@example.com is
not found in the database. It is not mapping joejohn...@example.com to
joe...It's trying j...@example.com which won't work. THis is true on
RHEL and Debian.
[REALMS]
EXAMPLE.COM = {
auth_to_local_names = {
joejohnson = joe
}
}
However, If I put this in appdefaults and add a .k5login with
joejohn...@example.com in /home/joe, I can login via ssh fine.. This
is only with Debian!!, RHEL still fails.
[appdefaults]
forwardable = true
pam = {
minimum_uid = 100
EXAMPLE.COM = {
search_k5login = true
}
}
But I'd rather use auth_to_local_names or auth_to_local with a
regex..A .k5login for every user may get tedious but I can deal if I
have to.
Now the RedHat krb5.conf man page states that I can use these
auth_to_local parameters but as I said it still looks for the
j...@example.com entry and not the joejohn...@example.com entry... What
am I doing wrong. Also it seems that the RHEL pam_krb5 does not
support "search_k5login", is that accurate?
What is the suggested method here for mapping principals with unlike
local account names using both RHEL and Debian pam_krb? I must be
doing something incorrectly so any help is appreciated.
Thanks
TC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
