[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using pam_krb5 multiple times

I have a rather unique need in which I need a machine to check multiple realms for a principal that's logging in. I've downloaded the latest (I think... pam_krb5 doesnt seem to be maintained anymore) version and installed it but what happens is that the first realm can authenticate fine, but not the second realm.

Here's an exerpt from the pam.d/system-auth file:

auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so forwardable use_first_pass realm=<realm1>
auth sufficient /lib/security/pam_krb5.so forwardable use_first_pass realm=<realm2>
auth required /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_access.so
account     sufficient    /lib/security/pam_krb5.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5.so

This will work for the first realm only, but someone trying to log in from the second realm will not succeed... however if I flip the placement, the user from the 2nd realm can log in but not the first.

I found a thread on this very issue on the web, but unfortunately there was/is nothing being done with this. Anyone have any tips on how I can go about doing this?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]