A principal is created in Kerberos REALM as: "SOMEONE@COMPANY.COM".

NOTE: no host name is used!

I want to login by giving user name "SOMEONE" w/ correct password to login to a machine that has access to KDC. But this fails and it seems ONLY principals that are also accounts on the local machine can log on to the machine.

Here's the error message:

It is known to me that OpenLDAP can allow a user to login on different machines that the user has no local account on any of those machines at all. So, I think KERBEROS should support this as well. I guess the problem might be caused by wrong PAM rules? Here is it:

Or how to allow a user to login (through pam_krb5) on different machines w/o creating local accounts in advance at all?

Thanks!

Are you using ldap to query your AD server? In many cases ldap queries the AD server, and looks for the user there. However from what I gather your goal here is to have accounts that exist say, on your box, and that don't exist in the AD tree, but you want to use this login for other machines? Have you tried to recieve a kerberos ticket?

Try these commands

# kinit SOMEONE
Password for SOMEONE@COMPANY.COM: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: SOMEONE@COMPANY.COM

Let me know if this works.

I'm not using Active Directory. All this is on linux: OpenLDAP and MIT Kerberos and PAM modules.

Anyway, kerberos on my machine works. There is no problem to kinit, klist and as I said in the question, it also works for login (authentication and issuing tickets) except that it only lets a principal that is also a local linux account to login.

goal 1: use kerberos for login on different linux machines (no need to repeatedly create the same account on them)

goal 2 (better): use openldap for account but it uses kerberos for password and issuing tickets. (there is no problem I can use pam_ldap for using openldap for authentication. but it uses password stored in ldap and no tickets issued upon a successful login)