A principal is created in Kerberos REALM as: "SOMEONE@COMPANY.COM".
NOTE: no host name is used!
I want to login by giving user name "SOMEONE" w/ correct password to login to a machine that has access to KDC. But this fails and it seems ONLY principals that are also accounts on the local machine can log on to the machine.
Here's the error message:
pam_krb5: error resolving user name 'SOMEONE' to uid/gid pair
kdm: :1: pam_krb5: error getting information about 'SOMEONE'
kdm: :1: pam_warn(xdm:auth): function=[pam_sm_authenticate] service=[xdm] terminal=[:1] user=[SOMEONE] ruser=[<unknown>] rhost=[<unknown>]
It is known to me that OpenLDAP can allow a user to login on different machines that the user has no local account on any of those machines at all. So, I think KERBEROS should support this as well. I guess the problem might be caused by wrong PAM rules? Here is it:
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_krb5.so use_first_pass
account requisite pam_unix2.so
account required pam_krb5.so use_first_pass
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so nullok use_authtok
password required pam_krb5.so use_authtok
session required pam_limits.so
session required pam_unix2.so
session optional pam_krb5.so
session optional pam_umask.so
Or how to allow a user to login (through pam_krb5) on different machines w/o creating local accounts in advance at all?