Hello,
Has anyone used pass through authentication to Kerberos with the principal coming from an attribute like krbPrincipalName?
I have pass through auth working where the list of users (nsswitch) comes from the LDAP server and the authentication is using pam such as:
/etc/pam.d/ldapserver:
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_deny.so
account required pam_krb5.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session required pam_krb5.so
The pass through plugin is configured to use the RDN where everyone's RDN is like "uid=xxx".
This works fine, but that's because the uid is the same as the part before the realm in the principal.
For example:
My login is "gary".
My Kerberos principal is "
gary@xxxxxxxxxxx".
is configured as the default realm on the system.
However, I have people who's login does not match their principal:
User Bob Smith has a login "bsmith".
His Kerberos principal is "
robert.smith@xxxxxxxxxxx".
I want to use "bsmith" for all the Unix/Linux name lookups, but use "
robert.smith@xxxxxxxxxxx" for the authentication. The latter information is stored in the krbPrincipal attribute.
I also want to be able to use a non-default realm:
User: "betty"
Principal: "
betty.jones@xxxxxxxxxxxxxx"
I can configure the krb5.conf file to know about these other realms and I can use kinit to test them so I know the Kerberos works.
I tried to change the plugin to pass the principal, but a name like "
gary@xxxxxxxxxxx" fails when in the user lookup.
I need one name for the user and another for the authentication.
Another option would be if the user did not need to be found in the passwd data. I don't really need it for pass through auth anyway. Unfortunately, pam fails if the user can't be found.
Any ideas?
--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
