Has anyone used pass through authentication to Kerberos with the principal
coming from an attribute like krbPrincipalName?
I have pass through auth working where the list of users (nsswitch) comes
from the LDAP server and the authentication is using pam such as:
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_deny.so
account required pam_krb5.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session required pam_krb5.so
The pass through plugin is configured to use the RDN where everyone's RDN
is like "uid=xxx".
This works fine, but that's because the uid is the same as the part before
the realm in the principal.
My login is "gary".
My Kerberos principal is "gary(a)EXAMPLE.COM".
is configured as the default realm on the system.
However, I have people who's login does not match their principal:
User Bob Smith has a login "bsmith".
His Kerberos principal is "robert.smith(a)EXAMPLE.COM".
I want to use "bsmith" for all the Unix/Linux name lookups, but use "
robert.smith(a)EXAMPLE.COM" for the authentication. The latter information
is stored in the krbPrincipal attribute.
I also want to be able to use a non-default realm:
I can configure the krb5.conf file to know about these other realms and I
can use kinit to test them so I know the Kerberos works.
I tried to change the plugin to pass the principal, but a name like "
gary(a)EXAMPLE.COM" fails when in the user lookup.
I need one name for the user and another for the authentication.
Another option would be if the user did not need to be found in the passwd
data. I don't really need it for pass through auth anyway. Unfortunately,
pam fails if the user can't be found.