[Novalug] Pam.d / Winbind and services w/Mutliple Domains
James Ewing Cottrell 3rd
JECottrell3 at Comcast.NET
Wed Sep 8 10:57:31 EDT 2010
On 9/7/2010 10:24 PM, Nick Danger wrote:
> On 09/07/2010 09:07 PM, James Ewing Cottrell 3rd wrote:
>> First, it occurs to me that for all user names, DOM1\user, DOM2\user,
>> and DOM3\user should all represent the same person.
>> This is a Pain, but less painful than converting DOM2 and DOM3 to DOM1.
>> Does that help any?
> Unfortunately, no. Because while you are correct, that DOM1\user and
> DOM2\user should be the same, that is not my issue. Really there is no
> duplicates of user ID's between the domains (already checked that one
> out). Currently when doing tacacs auth, I just accept the user name,
> and krb5 appends the domain on it before validating the user/pass pair
> for me. What I want to do is have it try a series of domains before
> returning 'valid' or 'invalid'.
> Amusingly I just discovered I cannot reach any of the other domain
> controllers from the tacacs server in question, so this whole exercise
> might be moot.
Well, you mentioned PAM, and it occurs that it could cycle thru the
domains as in
auth try-ad.so sufficient DOM1
auth try-ad.so sufficient DOM2 use-first-passwd
auth try-ad.so sufficient DOM3 use-first-passwd
Note that I just made thos PAM modules and their syntax up, but what I
am getting at is that this construct gives you multiple tries.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Novalug