Hi, This question is actually regarding both the RHEL pam_krb5 and the Debian or Russ's pam_krb5. What I am trying to do is to have krb5 principals login via ssh and authenticate to a local acount. so principal joejohn...@example.com should be authenticated as local account joe on the local box. I should mention that the host does not have a keytab but I am simply trying to authenticate via ssh. I can authenticate perfectly if the principal matches the local account.
Now I see that the krb5.conf allows for something like this.. But it does not work..Auth fails and I get an error that j...@example.com is not found in the database. It is not mapping joejohn...@example.com to joe...It's trying j...@example.com which won't work. THis is true on RHEL and Debian. [REALMS] EXAMPLE.COM = { auth_to_local_names = { joejohnson = joe } } However, If I put this in appdefaults and add a .k5login with joejohn...@example.com in /home/joe, I can login via ssh fine.. This is only with Debian!!, RHEL still fails. [appdefaults] forwardable = true pam = { minimum_uid = 100 EXAMPLE.COM = { search_k5login = true } } But I'd rather use auth_to_local_names or auth_to_local with a regex..A .k5login for every user may get tedious but I can deal if I have to. Now the RedHat krb5.conf man page states that I can use these auth_to_local parameters but as I said it still looks for the j...@example.com entry and not the joejohn...@example.com entry... What am I doing wrong. Also it seems that the RHEL pam_krb5 does not support "search_k5login", is that accurate? What is the suggested method here for mapping principals with unlike local account names using both RHEL and Debian pam_krb? I must be doing something incorrectly so any help is appreciated. Thanks TC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos