[27797] in Kerberos
Re: Joining a multiple realm AD environment
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sun May 20 13:33:45 2007
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Fri, 18 May 2007 20:54:33 +0100
Message-ID: <f2l0b3$pbm$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Not sure what you mean with "Do you still have to do this even if you add
the system to AD via a "User" account?" ?
You add the system to AD to be able to create a keytab which is used to
verify that you talk to the right kdc during user authentication. It has
nothing to do with the ability to login from LOC1.DOM.COM or LOC2.DOM.COM
Regards
Markus
"Chris Penney" <penney@msu.edu> wrote in message
news:111aefd0705180943g699cf03fh5142e1dfbcba181e@mail.gmail.com...
> On 5/17/07, Douglas E. Engert <deengert@anl.gov> wrote:
>> Whoses pam_krb5? Russ Allbery's has some extra options that might
>> try both realms.
>
>
> On 5/17/07, Markus Moeller <huaraz@moeller.plus.com> wrote:
>> You need entries like (assuming that users are uniq over both domains
>> and you have more users in LOC1.DOM.COM)
>> other auth sufficient pam_krb5 REALM=LOC1.DOM.COM
>> other auth sufficient pam_krb5 REALM=LOC2.DOM.COM
>
> Ah! I see. I used the pam_krb5 that Douglas noted and the pam config
> lines you noted and it works basically as intended.
>
> Do you still have to do this even if you add the system to AD via a
> "User" account?
>
> Thanks!
>
> Chris
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
