Using pam_krb5 multiple times
I have a rather unique need in which I need a machine to check multiple
realms for a principal that's logging in. I've downloaded the latest (I
think... pam_krb5 doesnt seem to be maintained anymore) version and
installed it but what happens is that the first realm can authenticate
fine, but not the second realm.
Here's an exerpt from the pam.d/system-auth file:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so forwardable
use_first_pass realm=<realm1>
auth sufficient /lib/security/pam_krb5.so forwardable
use_first_pass realm=<realm2>
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_access.so
account sufficient /lib/security/pam_krb5.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5.so
This will work for the first realm only, but someone trying to log in
from the second realm will not succeed... however if I flip the
placement, the user from the 2nd realm can log in but not the first.
I found a thread on this very issue on the web, but unfortunately there
was/is nothing being done with this. Anyone have any tips on how I can
go about doing this?
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Home]
[Kernel List]
[Red Hat Install]
[Linux for the blind]
[Red Hat Watch List]
[Gimp]
[Kerberos: The Definitive Guide]
