kerberos authentication for multiple realms
I've found a lot of documentation on setting up kerberos servers for multiple realms, but nothing about setting up the clients.
Our corporate setup, based on active directory, has multiple realms for users, by country. US.EXAMPLE.COM MX.EXAMPLE.COM DE.EXAMPLE.COM FR.EXAMPLE.COM and so on. If you log into a windows box, there is the default domain for your region, but you can always prefix your login name with your region and get in on any machine. FR\GEORGE Under linux, you can log in with your username, but there doesn't seem to be a way to pass your region identifier, to allow kerberos authentication to work. What you see in the security log is something like this; (for a user from a non-FR domain) - US\username Nov 6 11:26:41 host23 sshd[21959]: pam_krb5[21959]: authentication fails for 'username' (username@FR.EXAMPLE.COM): User not known to the underlying authentication module (Client not found in Kerberos database) krb5.conf looks like this; ================================================ [realms] FR.EXAMPLE.COM = { kdc = bcd1.fr.example.com:88 admin_server = bcd1.fr.example.com:749 default_domain = fr.example.com } [domain_realm] fr.example.com = FR.EXAMPLE.COM example.com = FR.EXAMPLE.COM .fr.example.com = FR.EXAMPLE.COM ================================================ Is there anyway to tell the client to try alternative domains? |
have you tried this?
Quote:
|
Quote:
|
All times are GMT -5. The time now is 07:03 AM. |