AD, pam and Kerberos? - Kerberos

This is a discussion on AD, pam and Kerberos? - Kerberos ; Hi All. We have a setup with several Active Directory domains that individually trusts each other. Each domain translates into each own Kerberos REALM as far as I'm understanding the systems. But prinicipals are unique across the realms. Thus if ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: AD, pam and Kerberos?

  1. AD, pam and Kerberos?

    Hi All.

    We have a setup with several Active Directory domains that individually
    trusts
    each other. Each domain translates into each own Kerberos REALM as far
    as I'm understanding the systems.

    But prinicipals are unique across the realms. Thus if jk@realm1 exixts,
    then
    It doesn't exist in the other realms.

    I'd like to use kerberos for the password lookup in the Linux system
    using pam. This
    Works fine with one "realm" but since the system only looks up users in
    the "default realm" I cannot validate users from the other realms.

    (This is pam for login on Linux Server/Workstations)

    Is it possible to get a "multi"-realm setup like this to work? Any
    pointers?

    It would be nice to be able to specify a map to the kerberos client:

    Jk = jk@realm1
    Test = test@realm2

    Or something like that.

    Jesper

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: AD, pam and Kerberos?



    JK (Jesper Agerbo Krogh) wrote:

    > Hi All.
    >
    > We have a setup with several Active Directory domains that individually
    > trusts
    > each other. Each domain translates into each own Kerberos REALM as far
    > as I'm understanding the systems.


    Yes.

    >
    > But prinicipals are unique across the realms. Thus if jk@realm1 exixts,
    > then
    > It doesn't exist in the other realms.


    By convention, realm names are unique as they are derived fom DNS
    names that principal names are also unique. But if you mean the
    CN or samAccountName in AD in a forest, then these are unique in
    the forest. Note that the UPN of an AD account does not have to match
    the CN.

    >
    > I'd like to use kerberos for the password lookup in the Linux system
    > using pam. This
    > Works fine with one "realm" but since the system only looks up users in
    > the "default realm" I cannot validate users from the other realms.
    >
    > (This is pam for login on Linux Server/Workstations)


    Problem is PAM is under specified, expecting the user to give
    the local user account name, and some password. When used with
    Kerberos, you need the principal, user@realm where user may not match
    the local user account name.

    You could change PAM to prompt for principal, in addition to the
    user and password which is the most general case.

    You could also change PAM to accept user@realm, then strip off the
    @realm and reset the pam_user before returning. But some applications
    that call PAM don't like to accept the fact that PAM has changed the
    user name.

    >
    > Is it possible to get a "multi"-realm setup like this to work? Any
    > pointers?


    Yes.

    >
    > It would be nice to be able to specify a map to the kerberos client:
    >
    > Jk = jk@realm1
    > Test = test@realm2


    Again a change to pam_krb5 to do the mapping.

    >
    > Or something like that.
    >
    > Jesper
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: AD, pam and Kerberos?

    For the multi-realm setup with the Active Directory only you can look at
    the samba winbindd.
    It do the same thing as nss_ldap/pam_krb5 and also can be easily
    configured on "DOMAIN+Username" user names.

    regards,
    Konstantin.

    JK (Jesper Agerbo Krogh) wrote:
    > Hi All.
    >
    > We have a setup with several Active Directory domains that individually
    > trusts
    > each other. Each domain translates into each own Kerberos REALM as far
    > as I'm understanding the systems.
    >
    > But prinicipals are unique across the realms. Thus if jk@realm1 exixts,
    > then
    > It doesn't exist in the other realms.
    >
    > I'd like to use kerberos for the password lookup in the Linux system
    > using pam. This
    > Works fine with one "realm" but since the system only looks up users in
    > the "default realm" I cannot validate users from the other realms.
    >
    > (This is pam for login on Linux Server/Workstations)
    >
    > Is it possible to get a "multi"-realm setup like this to work? Any
    > pointers?
    >
    > It would be nice to be able to specify a map to the kerberos client:
    >
    > Jk = jk@realm1
    > Test = test@realm2
    >
    > Or something like that.
    >
    > Jesper
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread