Kerberos Question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos Question

Jay Berryman
Hello Everyone.  I am building a webmail server that uses Kerberos to
authenticate users to our Active Directory servers.  My problem is that the
users that need to access this system are across multiple domains (example:
[hidden email], [hidden email]).  Is there a way for Kerberos to handle
this?  Any help would be greatly appreciated.  Thanks.

 

Jay Berryman, RHCT, RHCE

Systems Engineer

Phone:  (402)-963-6347

Cell:      (402)-598-1737

E-Mail:  [hidden email] <mailto:[hidden email]>

 

This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient, or the
authorized agent of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify SITEL immediately by
telephone at 402.963.6001 and delete the message and any attachments from
your system. Thank you for your cooperation.

 

 

 

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Question

Vijay-4
yes.
There is a domain to realm mapping section in krb5.conf

--
vj

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

ssh using gssapi athentication without local account existing on the target machine

jay alvarez-2
In reply to this post by Jay Berryman
Hi,
 
 I already got it working but ssh requires  local accounts to exist in the machine for it to actually allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have any user account.
 Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside my home dir(possibly retrieved through some other means). Anyone done this before?
 
 Thanks.
 
                       
---------------------------------
Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ssh using gssapi athentication without local account existing on the target machine

Douglas E. Engert


jay alvarez wrote:

> Hi,
>  
>  I already got it working but ssh requires  local accounts to exist in the machine for it to actually
 >  allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have
 >  any user account.

>  Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside
 >  my home dir(possibly retrieved through some other means). Anyone done this before?

Assuming UNIX, you still need to start the processes under some UID, be it obtained locally, or from
NIS or LDAP, or even dynamically aassigned. The host also has to make some authorization decision
about accepting the GSSAPI connection. Current GSSPAI does authentication only, you still
need the authorization to the local machine. krb5_kuserok for example does this.

If you use dynamically aassigned UIDs, you then have to cleanup the local file system of
any left over files for the UID.

But sshd appears to wants the remote user to specify the local account to
use, without allowing some mappings from GSSAPI credentials to local account first.
One way would be via PAM. PAM states that the PAM routines can change the pam_user, and
the calling application should accept this, sshd does not.

So the first thing that would be needed is for sshd to continue on if the
user was not found, and let PAM at least have a shot at returning a new valid user.
This has come up on the OpenSSH  mailing list from time to time.

>  
>  Thanks.
>  
>
> ---------------------------------
> Yahoo! Shopping
>  Find Great Deals on Holiday Gifts at Yahoo! Shopping
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos