Chris, Using PAM for Kerberos authentication is in reality against the way Keberos works. If you use a keberised client like SecureCRT on Windows or a patched putty for ssh you won't have the problems.
Trying the different domains is only a hack as most applications can not deal with a username like [EMAIL PROTECTED] Regards Markus "Chris Penney" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On 5/18/07, Douglas E. Engert <[EMAIL PROTECTED]> wrote: >> >> Chris Penney wrote: >> > >> > Ah! I see. I used the pam_krb5 that Douglas noted and the pam config >> > lines you noted and it works basically as intended. >> > >> > Do you still have to do this even if you add the system to AD via a >> > "User" account? >> >> Microsoft used a mis-leading term when they said to add the machine as >> a "user". You are adding a service principal for the machine into a >> realm. With AD that also means it needs an account, which looks like >> a "user" account, but in Kerberos terms has nothing to do with the user. >> >> So each user must be registered with a principal and (AD account), and >> each service must be registered with a principal and its own AD account). >> >> If you have cross realm setup then each user only needs to be in one >> realm, >> and each service only needs to be in one realm. >> >> You did not indicate that you have cross realm set up. i.e. the ADs have >> some cross domain trust. But if it works as intended, then it must. >> A klist would show an extra TGT like krbtgt/[EMAIL PROTECTED] > > Yes, LOC1 and LOC2 trust each other, though I'm not clear that I'm > leveraging that. When I say working as intended it's probably > incorrect. I just mean that if I have an entry in the pam config file > for each realm all users can login simply because pam trys [EMAIL PROTECTED] > then [EMAIL PROTECTED], etc. > > Is this a normal way of handing this? Is setting up .k5login with > [EMAIL PROTECTED] the best way to avoid iterating through all the realms? > > Chris > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
