[389-users] Pass through auth using krbPrincipalName

Hello,

Has anyone used pass through authentication to Kerberos with the principal coming from an attribute like krbPrincipalName?

I have pass through auth working where the list of users (nsswitch) comes from the LDAP server and the authentication is using pam such as:

/etc/pam.d/ldapserver:

auth        required      pam_env.so
auth        sufficient    pam_krb5.so
auth        required      pam_deny.so
account     required      pam_krb5.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     required      pam_krb5.so

The pass through plugin is configured to use the RDN where everyone's RDN is like "uid=xxx".

This works fine, but that's because the uid is the same as the part before the realm in the principal.

For example:

My login is "gary".

My Kerberos principal is "gary@EXAMPLE.COM".

EXAMPLE.COM is configured as the default realm on the system.

However, I have people who's login does not match their principal:

User Bob Smith has a login "bsmith".

His Kerberos principal is "robert.smith@EXAMPLE.COM".

I want to use "bsmith" for all the Unix/Linux name lookups, but use "robert.smith@EXAMPLE.COM" for the authentication.  The latter information is stored in the krbPrincipal attribute.

I also want to be able to use a non-default realm:

User: "betty"

Principal: "betty.jones@OTHERREALM.COM"

I can configure the krb5.conf file to know about these other realms and I can use kinit to test them so I know the Kerberos works.

I tried to change the plugin to pass the principal, but a name like "gary@EXAMPLE.COM" fails when in the user lookup.

I need one name for the user and another for the authentication.

Another option would be if the user did not need to be found in the passwd data.  I don't really need it for pass through auth anyway.  Unfortunately, pam fails if the user can't be found.

Any ideas?

--

Gary Algier