Hello,
Has anyone used pass through authentication to Kerberos with the principal coming from an attribute like krbPrincipalName?
I have pass through auth working where the list of users (nsswitch) comes from the LDAP server and the authentication is using pam such as: /etc/pam.d/ldapserver: auth required pam_env.so auth sufficient pam_krb5.so auth required pam_deny.so account required pam_krb5.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session required pam_krb5.so
The pass through plugin is configured to use the RDN where everyone's RDN is like "uid=xxx". This works fine, but that's because the uid is the same as the part before the realm in the principal.
For example: My login is "gary". My Kerberos principal is "gary@EXAMPLE.COM". EXAMPLE.COM is configured as the default realm on the system.
However, I have people who's login does not match their principal: User Bob Smith has a login "bsmith". His Kerberos principal is "robert.smith@EXAMPLE.COM". I want to use "bsmith" for all the Unix/Linux name lookups, but use " robert.smith@EXAMPLE.COM" for the authentication. The latter information is stored in the krbPrincipal attribute.
I also want to be able to use a non-default realm: User: "betty" Principal: "betty.jones@OTHERREALM.COM"
I can configure the krb5.conf file to know about these other realms and I can use kinit to test them so I know the Kerberos works.
I tried to change the plugin to pass the principal, but a name like " gary@EXAMPLE.COM" fails when in the user lookup.
I need one name for the user and another for the authentication.
Another option would be if the user did not need to be found in the passwd data. I don't really need it for pass through auth anyway. Unfortunately, pam fails if the user can't be found.
Any ideas?
389-users@lists.fedoraproject.org