| edgood1 |
06-09-2009 02:44 PM |
Managing multiple kerberos/ADS realms
I have several linux boxes that are using Active Directory for kerberos-based authentication. this works fine for all the users in the default realm. Users can ssh into the box just like they would on any other linux server. However, users from other realms can't log in. The pam/kerberos module attempts to authenticate them against the default realm and it fails. Here is my krb5.conf from a SLES10 box:
Code:
[logging]
[libdefaults]
default_realm = REALM1.MYDOM.COM
clockskew = 300
#dns_lookup_realm = true
[realms]
REALM1.MYDOM.COM = {
kdc = 172.20.1.100
default_domain = realm1.mydom.com
admin_server = 172.20.1.100
}
REALM2.MYDOM.COM = {
kdc = 172.21.2.200
default_domain = realm2.mydom.com
admin_server = 172.21.2.200
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
realm1.mydom.com = REALM1.MYDOM.COM
.realm1.mydom.com = REALM1.MYDOM.COM
.realm2.mydom.com = REALM2.MYDOM.COM
realm2.mydom.com = REALM2.MYDOM.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
}
How can I get a user from REALM2 to log in via ssh?
I |
