LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   kerberos authentication for multiple realms (https://www.linuxquestions.org/questions/linux-security-4/kerberos-authentication-for-multiple-realms-681617/)

sakshale 11-06-2008 02:58 PM

kerberos authentication for multiple realms
 
I've found a lot of documentation on setting up kerberos servers for multiple realms, but nothing about setting up the clients.

Our corporate setup, based on active directory, has multiple realms for users, by country.

US.EXAMPLE.COM
MX.EXAMPLE.COM
DE.EXAMPLE.COM
FR.EXAMPLE.COM

and so on. If you log into a windows box, there is the default domain for your region, but you can always prefix your login name with your region and get in on any machine. FR\GEORGE

Under linux, you can log in with your username, but there doesn't seem to be a way to pass your region identifier, to allow kerberos authentication to work. What you see in the security log is something like this; (for a user from a non-FR domain) - US\username

Nov 6 11:26:41 host23 sshd[21959]: pam_krb5[21959]: authentication fails for 'username' (username@FR.EXAMPLE.COM): User not known to the underlying authentication module (Client not found in Kerberos database)


krb5.conf looks like this;
================================================
[realms]
FR.EXAMPLE.COM = {
kdc = bcd1.fr.example.com:88
admin_server = bcd1.fr.example.com:749
default_domain = fr.example.com
}
[domain_realm]
fr.example.com = FR.EXAMPLE.COM
example.com = FR.EXAMPLE.COM
.fr.example.com = FR.EXAMPLE.COM
================================================

Is there anyway to tell the client to try alternative domains?

ncsuapex 11-19-2008 12:54 PM

have you tried this?

Quote:

ssh FR+username@FR.EXAMPLE.COM

sakshale 11-20-2008 12:02 PM

Quote:

Originally Posted by ncsuapex (Post 3347800)
have you tried this?

It does not seem to make any difference.


All times are GMT -5. The time now is 07:03 AM.