What I desire to do should be pretty simple.
I have an Ubuntu 10.04 box. It's currently configured to authenticate users against a kerberos realm (EXAMPLE.ORG). There is only one realm in the krb5.conf file and it is the default realm.
[libdefaults]
default_realm = EXAMPLE.ORG
PAM is configured to use the pam_krb5 module, so if a user account is created on the local machine, and that username matches the username@EXAMPLE.ORG credential, that user may log in by supplying his kerberos password.
What I would like to do instead is create a local user account with a different username, but have it always authenticate against the canonical name in the kerberos server.
For example, the kerberos principal is full.name@EXAMPLE.ORG. I would like to create the local account preferred.name and somehow configure kerberos that when someone attempts to log in as preferred.name, it uses the principal full.name@EXAMPLE.ORG.
I have tried using the auth_to_local_names in krb5.conf, but this doesn't seem to do the trick.
[realms]
EXAMPLE.ORG = {
auth_to_local_names = {
full.name = preferred.name
}
I have tried adding full.name@EXAMPLE.ORG to ~preferred.name/.k5login.
In all cases, when I attempt to log in as preferred.name@host and enter the password for full.name, I get Access denied.
I even tried using auth_to_local in krb5.conf, but I couldn't get the syntax right.
Is it possible to have a (distinct) local username that for all purposes behaves exactly like a matching username does? If so, how is this done?
Best Answer
I figured it out. I didn't need to use auth_to_local at all. I could use .k5login in the user's home directory. First,
Then, I had to configure PAM to honor the .k5login. In /etc/pam.d/common-auth, where I find
auth sufficient pam_krb5.so, append the optionsearch_k5login.Thereafter, any attempt to log in as preferred.name will accept the password for full.name@EXAMPLE.ORG.