kerberos authentication for multiple realms
I've found a lot of documentation on setting up kerberos servers for multiple realms, but nothing about setting up the clients.
Our corporate setup, based on active directory, has multiple realms for users, by country.
US.EXAMPLE.COM
MX.EXAMPLE.COM
DE.EXAMPLE.COM
FR.EXAMPLE.COM
and so on. If you log into a windows box, there is the default domain for your region, but you can always prefix your login name with your region and get in on any machine. FR\GEORGE
Under linux, you can log in with your username, but there doesn't seem to be a way to pass your region identifier, to allow kerberos authentication to work. What you see in the security log is something like this; (for a user from a non-FR domain) - US\username
Nov 6 11:26:41 host23 sshd[21959]: pam_krb5[21959]: authentication fails for 'username' (username@FR.EXAMPLE.COM): User not known to the underlying authentication module (Client not found in Kerberos database)
krb5.conf looks like this;
================================================
[realms]
FR.EXAMPLE.COM = {
kdc = bcd1.fr.example.com:88
admin_server = bcd1.fr.example.com:749
default_domain = fr.example.com
}
[domain_realm]
fr.example.com = FR.EXAMPLE.COM
example.com = FR.EXAMPLE.COM
.fr.example.com = FR.EXAMPLE.COM
================================================
Is there anyway to tell the client to try alternative domains?
|