On 08/12/2015 11:05 PM, Michael Torrie wrote: > On 08/11/2015 09:39 AM, Daniel Fussell wrote: >> On 08/10/2015 09:47 PM, Michael Torrie wrote: >>> [1] In case anyone is curious, an easy way to do this is by making the >>> kerberos principals be something like "username/admin@DOMAIN", and >>> then telling the local admin account to allow logins from >>> */admin@DOMAIN. That way the local account needn't be modified when >>> other principals are created or deleted. >> >> I tried using */admin@DOMAIN with .k5login to map admin users to a local >> admin account, but it turns out wildcards aren't supported in .k5login. >> How did you set it up with pam and nss to do the mapping? > > I don't have access to any machines that I set up anymore, but I recall > using wildards in .k5login and it worked just fine. This was on RHEL6 > machines. > > Except for enabling Kerberos through the RH authconfig utility (which > sets up pam_krb5), I didn't make any changes to pam or nss.
I could be misremembering. It's bugging me. Might have to contact my old office and have them check, though maybe none of the servers I worked on are still there. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
