[Samba] Kerberos-only login with multiple domains and/or UPN...

[Marco Gaiarin]

I'm googling around but i found reference to SSSD only, not plain kerberos
setup.

Situation: AD forest, composed by forest tree and 4 more domains; in two of
that some administrative users exist, supposing:

 SITE1.AD.SHORT.DOM\admin1		(UPN: admin1 at LONGDOMAIN.DOM)
 SITE2.AD.SHORT.DOM\admin2		(UPN: admin2 at LONGDOMAIN.DOM)


In some very specific box we need ssh access only for admins; so i've
created locally (eg: in /etc/passwd) 'admin1' and 'admin2' and setup
Kerberos and pam_krb5. The purpose is to enable auth to the domain without
setting up samba/winbind.

In single domain setup (eg 'default_realm = SITE1.AD.SHORT.DOM' or
'= SITE2.AD.SHORT.DOM') it works, but clearly only admin of that domain can
auth.


I've tried to setup multiple realms and use 'auth_to_local' rules, but i was
not able to make it work: 'auth_to_local' seems not to work, and if default
realm is 'SITE1.AD.SHORT.DOM' and i try login with
'SITE2.AD.SHORT.DOM/admin2', still 'SITE1.AD.SHORT.DOM' are looked up.


I'm also curious if it is possible to auth directly with UPN, in kerberos.


Thanks. And good new year's eve. ;)

-- 
  Io chiedo quando sara` che l'uomo potra` imparare
  a vivere senza ammazzare e il vento si posera`	(F. Guccini)