HPE Community
Operating System - HP-UX
1847240 Members
3288 Online
110263 Solutions
New Discussion

PAM-Kerberos and ADS

 
SOLVED
Go to solution
Sundar_7
Honored Contributor

‎08-25-2004 09:09 AM

‎08-25-2004 09:09 AM

PAM-Kerberos and ADS


I managed to get my UX box successfully authenticate logins against the windows 2000 ADS.

But the issue here is, I have users from multiple domains that log on to the system.

I got this working for one domain and I was wondering if anybody managed to get this working for multiple domains.

In other words, I have domains dom1 , dom2 and dom3. user1 from dom1 is able to log on to UX box with ADS password. Now I would like my user2 from dom2 be able to login to the system with the ADS password.

Any inputs?

TIA

Sundar.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
5 REPLIES 5
Doug Lamoureux_2
Valued Contributor

‎08-25-2004 10:34 AM

‎08-25-2004 10:34 AM

Re: PAM-Kerberos and ADS

Yes LDAP-UX AND PAM_Kerberos can be used to authenticate users from multiple domains.

This is documented in chapter 3 "Active Directory Multiple Domains" of the

"LDAP-UX Client Services B.03.30 with Microsoft Windows 2000 Active Directory Administrator's Guide"

which can be found at:

http://www.docs.hp.com/hpux/onlinedocs/J4269-90039/J4269-90039.html

0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-25-2004 12:20 PM

‎08-25-2004 12:20 PM

Re: PAM-Kerberos and ADS

hmmm..these things always confuses me. But I believe I am not using LDAP-UX client.

I configured Kerberos client and /etc/pam.conf with the PAM-Kerberos library and that is it.

I didnt have to touch the LDAP client configuration at all.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎08-26-2004 03:22 AM

‎08-26-2004 03:22 AM

Re: PAM-Kerberos and ADS

Yes this can be confusing... Since you are not using LDAP-UX you must have users/group information stored in NIS or local files (passwd/group).

In this case PAM Kerberos does not know what REALM (domain) the user belongs to so it can not authenticate the user.

For example if you have 2 Win2K users: jcool@WEST.ACME.COM and jcool@EAST.ACME.COM
on the HP-UX system the user will attempt to login as jcool, which one is he?

LDAP-UX and PAM Kerberos work together to identify which REALM/domain the user is from and authenticates the user to that domain. 1 local and multiple remote REALMS/domains are configured for this to work (explained in the manual).

If all of your users use the root REALM in their UPN i.e. jcool@ACME.COM then you should be able to configure PAM Kerberos to use just the ACME.COM REALM and authenticate all users.

Cheers,
Doug
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-26-2004 03:30 AM

‎08-26-2004 03:30 AM

Re: PAM-Kerberos and ADS

user names are unique in the domains. I dont have user1@sub1.domain.com and user1@sub2.domain.com.

Even then it is not possible to authenticate the users using PAM-Kerberos ?. I dont use LDAP for user information. User information is stored locally in the /etc/passwd file.

How about if I list all the REALMS in the /etc/krb4.conf file. Will PAM try the KDC servers in the order listed or it will quit after trying the default REALM ?

If the domains are trusted, can the KDC for sub1.domain.com provide the tickets for the users in sub2.domain.com ?

Anyone ?

-- Sundar.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎08-26-2004 03:44 AM

‎08-26-2004 03:44 AM

Solution

Re: PAM-Kerberos and ADS

Nope.. PAM Kerberos will look at the default_realm parameter in krb5.conf for the REALM to authenticate the user. It would be nice if the user could login with user@REAM but not possible.. :(

Cross realm authentication is possible outside of PAM Kerberos, once you have a TGT for your "local" REALM.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.