Hello,
Has anyone used pass through authentication to Kerberos with the principal
coming from an attribute like krbPrincipalName?
I have pass through auth working where the list of users (nsswitch) comes
from the LDAP server and the authentication is using pam such as:
/etc/pam.d/ldapserver:
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_deny.so
account required pam_krb5.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session required pam_krb5.so
The pass through plugin is configured to use the RDN where everyone's RDN
is like "uid=xxx".
This works fine, but that's because the uid is the same as the part before
the realm in the principal.
For example:
My login is "gary".
My Kerberos principal is "gary(a)EXAMPLE.COM".
EXAMPLE.COM is configured as the default realm on the system.
However, I have people who's login does not match their principal:
User Bob Smith has a login "bsmith".
His Kerberos principal is "robert.smith(a)EXAMPLE.COM".
I want to use "bsmith" for all the Unix/Linux name lookups, but use "
robert.smith(a)EXAMPLE.COM" for the authentication. The latter information
is stored in the krbPrincipal attribute.
I also want to be able to use a non-default realm:
User: "betty"
Principal: "betty.jones(a)OTHERREALM.COM"
I can configure the krb5.conf file to know about these other realms and I
can use kinit to test them so I know the Kerberos works.
I tried to change the plugin to pass the principal, but a name like "
gary(a)EXAMPLE.COM" fails when in the user lookup.
I need one name for the user and another for the authentication.
Another option would be if the user did not need to be found in the passwd
data. I don't really need it for pass through auth anyway. Unfortunately,
pam fails if the user can't be found.
Any ideas?
--
Gary Algier