Hello, Has anyone used pass through authentication to Kerberos with the principal coming from an attribute like krbPrincipalName?
I have pass through auth working where the list of users (nsswitch) comes from the LDAP server and the authentication is using pam such as: /etc/pam.d/ldapserver: auth required pam_env.so auth sufficient pam_krb5.so auth required pam_deny.so account required pam_krb5.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session required pam_krb5.so The pass through plugin is configured to use the RDN where everyone's RDN is like "uid=xxx". This works fine, but that's because the uid is the same as the part before the realm in the principal. For example: My login is "gary". My Kerberos principal is "g...@example.com". EXAMPLE.COM is configured as the default realm on the system. However, I have people who's login does not match their principal: User Bob Smith has a login "bsmith". His Kerberos principal is "robert.sm...@example.com". I want to use "bsmith" for all the Unix/Linux name lookups, but use " robert.sm...@example.com" for the authentication. The latter information is stored in the krbPrincipal attribute. I also want to be able to use a non-default realm: User: "betty" Principal: "betty.jo...@otherrealm.com" I can configure the krb5.conf file to know about these other realms and I can use kinit to test them so I know the Kerberos works. I tried to change the plugin to pass the principal, but a name like " g...@example.com" fails when in the user lookup. I need one name for the user and another for the authentication. Another option would be if the user did not need to be found in the passwd data. I don't really need it for pass through auth anyway. Unfortunately, pam fails if the user can't be found. Any ideas? -- Gary Algier
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
