Multiple realm support
Wachdorf, Daniel R
drwachd at sandia.gov
Thu Oct 30 15:15:23 GMT 2003
Is there a way to control this? Can I say which realms I would like to
allow mapped (strip the @realm) to users?
Additionally, the call krb5_aname_to_localname() exits in the MIT Kerberos
libraries to provide this support. I would allow setup in the krb5.conf
file to control how Kerberos users are mapping into local user accounts.
Thanks for you help.
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Sent: Thursday, October 30, 2003 8:13 AM
> To: Wachdorf, Daniel R
> Cc: Samba -Tech (samba-technical at lists.samba.org)
> Subject: Re: Multiple realm support
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Wachdorf, Daniel R wrote:
> | I am wondering if it is possible to support multiple
> | realms for user account mappings when using security=ads. For
> | example: I have two AD realms with forest trust, ad1.domain.com
> | and ad2.domain.com. I have a samba server,
> | host.ad1.domain.com which has the account user. When user
> | logs into ad2.domain.com and tries to connect to host.ad1.domain.com,
> | he gets all the necessary Kerberos tickets, but gets reject by
> | the samba server with the message "user ad2.domain.com/user
> | is invalid on this system".
> | Is it possible to map multiple domains to a single user.
> I fixed a case post 3.0.0 so that there is an implicit mapping
> between users logging on via AD krb5 support and usernames on
> the local system.
> So in 3.0.1 user at realm1.com and user at realm2.com would map
> to the same 'user' in /etc/passwd (assuming you are not running winbindd).
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the samba-technical