Here's an exerpt from the pam.d/system-auth file:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so forwardable use_first_pass realm=<realm1>
auth sufficient /lib/security/pam_krb5.so forwardable use_first_pass realm=<realm2>
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account required /lib/security/pam_access.so account sufficient /lib/security/pam_krb5.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_krb5.so
This will work for the first realm only, but someone trying to log in from the second realm will not succeed... however if I flip the placement, the user from the 2nd realm can log in but not the first.
I found a thread on this very issue on the web, but unfortunately there was/is nothing being done with this. Anyone have any tips on how I can go about doing this?
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
