Hi All, I'm having a lot of issues in regards to using two realms in CentOS 6.5.
Here is the information: Active Directory (realm: USER.COMPANY.COM <http://user.company.com/> ) Kerberos 5 KDC (realm: SERVICE.COMPANY.COM <http://service.company.com/> ) All my USERS are in USER.COMPANY.COM <http://user.company.com/> and SERVICES (aka: postgres, MySQL, etc) are in SERVICE.COMPANY.COM <http://service.company.com/> I need to be able to have the users and services kinit without the Fully Qualified Realm (FQR) Example: root $ su - postgres postgres $ kinit Password for [email protected] <mailto:[email protected]> : root $ su - someuser someuser $ kinit Password for [email protected] <mailto:[email protected]> : Reality: root $ su - postgres postgres $ kinit kinit: Client '[email protected] <mailto:[email protected]> ' not found in Kerberos database while getting initial credentials I would like it to fall to the next Realm if the first does not have records of the credentials. I have been able to do this for shell logins using SSSD, since I have rules in place that will check an ldap flag for users vs. services. However kinit doesn't use PAM(lib_sssd) in anyway to apply the rules after login (su, ksu, etc). Please let me know if you have any suggestions on how this can be accomplished. Thanks in advance! /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = USER.COMPANY.COM <http://user.company.com/> dns_lookup_realm = True dns_lookup_kdc = True ticket_lifetime = 24h renew_lifetime = 7d forwardable = True verify_ap_req_nofail = True udp_preference_limit = 1 debug = True [realms] SERVICE.COMPANY.COM <http://service.company.com/> = { } USER.COMPANY.COM <http://user.company.com/> = { } [domain_realm] .service.company.com <http://service.company.com/> = SERVICE.COMPANY.COM <http://service.company.com/> service.company.com <http://service.company.com/> = SERVICE.COMPANY.COM <http://service.company.com/> .user.company.com <http://user.company.com/> = USER.COMPANY.COM <http://user.company.com/> user.company.com <http://user.company.com/> = USER.COMPANY.COM <http://user.company.com/> [appdefaults] autologin = True forward = True encrypt = True pam = { debug = True ticket_lifetime = 24h renew_lifetime = 7d forwardable = True krb4_convert = False } [capaths] SERVICE.COMPANY.COM <http://service.company.com/> = { USER.COMPANY.COM <http://user.company.com/> = . } USER.COMPANY.COM <http://user.company.com/> = { SERVICE.COMPANY.COM <http://service.company.com/> = . } ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
