Gautier, B (Bob)
2006-Apr-10 08:39 UTC
[Samba] Can pam_winbind be configured to issue Kerberos tickets onuser validation?
> -----Original Message-----> > I've tried to use the pam_krb5 module, but as pam modules > validate the user as given, pam_krb5 is trying to match the > password to adsdomain.adsuser@ADSDOMAIN.REALM.... so it fails. >Pam_krb5 can be configured to convert winbind usernames back into principal names, by means of some regexp matching and template filling magic. It it 'underdocumented' - perhaps you even need to grab the source RPM and look there? I can't remember where I found out about it. I have pam_krb5 2.1.8-1 working very nicely. Here's the excerpt from my /etc/krb5.conf: [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false mappings = RILINUX-(.*) $1@RILINUX.COM RILINUXEU-(.*) $1@EU.RILINUX.COM } The 'mappings' is a set of regexp-template pairs. In my example, usernames that start with RILINUX- are mapped into principals in RILINUX.COM, usernames in RILINUXEU- are mapped into the EU.RILINUX.COM realm. If you have lots of domains you can do things like (untested): mappings = RILINUX([^-]+)-(.*) $2@$1.RILINUX.COM So RILINUXEU-foo -> foo@EU.RILINUX.COM RILINUXANYOLDJUNK-nobody -> nobody@ANYOLDJUNK.RILINUX.COM Bob G _____________________________________________________________ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _____________________________________________________________
Reasonably Related Threads
- Can pam_winbind be configured to issue Kerberos tickets on user validation?
- pam_winbind causing local user login failures on 3.0.23c ... and a couple of other things
- BUG? 'valid users' doesn't allow groups from trusted domains
- ADS winbind/krb5 error
- Access to share is denied for groups on samba 3 - ADS
Wisdom of the Ancients
