Use a preferred username but authenticate against Kerberos principal
- by Jason R. Coombs
What I desire to do should be pretty simple.
I have an Ubuntu 10.04 box. It's currently configured to authenticate users against a kerberos realm (EXAMPLE.ORG). There is only one realm in the krb5.conf file and it is the default realm.
[libdefaults]
default_realm = EXAMPLE.ORG
PAM is configured to use the pam_krb5 module, so if a user account is created on the local machine, and that username matches the [email protected] credential, that user may log in by supplying his kerberos password.
What I would like to do instead is create a local user account with a different username, but have it always authenticate against the canonical name in the kerberos server.
For example, the kerberos principal is [email protected]. I would like to create the local account preferred.name and somehow configure kerberos that when someone attempts to log in as preferred.name, it uses the principal [email protected].
I have tried using the auth_to_local_names in krb5.conf, but this doesn't seem to do the trick.
[realms]
EXAMPLE.ORG = {
auth_to_local_names = {
full.name = preferred.name
}
I have tried adding [email protected] to ~preferred.name/.k5login.
In all cases, when I attempt to log in as preferred.name@host and enter the password for full.name, I get Access denied.
I even tried using auth_to_local in krb5.conf, but I couldn't get the syntax right.
Is it possible to have a (distinct) local username that for all purposes behaves exactly like a matching username does? If so, how is this done?