Login or Register to Ask a Question and Join Our Community


Red Hat

pam_krb5 UID mapping (clashing UIDs)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat pam_krb5 UID mapping (clashing UIDs)
# 1  
Old 10-19-2011
Question pam_krb5 UID mapping (clashing UIDs)
Hi,

I'm considering implementing pam_krb5 on RHEL 5.5 and Solaris 10, and I'm in an environment that has a number of legacy NIS domains. They've all been migrated into Active Directory, RFC2307, with the NIS maps that differed in each domain kept within its own container. However, users and groups have been merged together.

This now lends itself to an interesting problem. Some users have clashing UIDs. User 'joe' might login to a machine in domain 'A' and should rightly have UID 120. However, when 'joe' logs into a machine in domain 'B' he's going to need a UID of say 140. Same username, different UID.

We need a way of overriding the UID, GID, home directory and login shell for particular users on a domain-by-domain basis. I've seen this done with commercial products using GPOs in AD, and I'm guessing, some funky pam_krb5 code?

Can anyone think of either a) how we might achieve this using features already available in one or other pam_krb5, or b) if I have to hack someone's pam_krb5 to do this which one I should pick and which features this might be most similar to?

I'm a C whizz, so don't mind hacking a solution, but would rather not re-invent the wheel.

Thanks,
Mark.

p.s. it's not possible to clean up the data (too big a problem).
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Homework & Coursework Questions

Display usernames and their UIDs

Use and complete the template provided. The entire template must be completed. If you don't, your post may be deleted! 1. The problem statement, all variables and given/known data: Write a script that displays all usernames and their UIDs in the following fashion: name1 uid=999 name2... (2 Replies)
Discussion started by: baniel
2 Replies

2. UNIX and Linux Applications

Samba loosing SID UID mapping

Hi all, I don't know how many times I've setup samba shares, but... It's been a while since the last time. The SID UID maps used to always seem random. I.E. if I had to move the data to another box, I'd have to note all of the SID / UID relations and write scripts to convert them on the new... (0 Replies)
Discussion started by: mph
0 Replies

3. Shell Programming and Scripting

Creating unique mapping from multiple mapping

Hello, I do not know if this is the right title to use. I have a large dictionary database which has the following structure: where a b c d e are in English and p q r s t are in a target language., the two separated by the delimiter =. What I am looking for is a perl script which will take... (5 Replies)
Discussion started by: gimley
5 Replies

4. Solaris

UIDs in /etc/passwd file

Hi all, I am bit confused about UIDs on my server where LDAP athentication happens. UIDs are generally in the range of 0-65534 for any Solaris OS version(correct if i am wrong). My server is running on Solaris 9. Below are user accounts available on my server. ... (10 Replies)
Discussion started by: vvpotugunta
10 Replies

5. UNIX for Advanced & Expert Users

keep UIDs/GIDs consistent

Hi, What is the best ways to keep UIDs and GIDs consistent across unix and linux server. my company have a servers running on hpux, linux, aix and many of them have veritas cluster and hacmp running, many time user account have been created only on one of the cluster node and not the others... (4 Replies)
Discussion started by: robertngo
4 Replies

6. AIX

UIDs being overwritten immediately

We have a problem where we delete a user and their associated UID gets dumped back in the UID pool. The if we immediately create a another (new) user, AIX reuses the last UID, the one that was just released. This is causing a problem when reports are being generated because the new users name is... (2 Replies)
Discussion started by: xsys2000
2 Replies

7. HP-UX

Valid ranges for uids for HP-UX

Hi , I am using adduser in hp-ux to create users in Hp-ux. i would like to know what are the valid values for uids and gids in hp-ux what are the rannges for the valid uids . How to check what are the used uids in Hp-ux . Thanks Narendra babu C (7 Replies)
Discussion started by: naren_chella
7 Replies

8. UNIX for Dummies Questions & Answers

about UIDs, very urgent

hello guys, well as i mentioned first i have a serious problem, i need your help. i have a hosting plan with linux, apache and php. i have a script (that have my UID=32256) inside my web site (in the panel folder -see below-) that creates new scripts (in the pages folder) (the new scripts... (1 Reply)
Discussion started by: mehdi
1 Replies
Login or Register to Ask a Question

LEARN ABOUT REDHAT

pam_krb5

pam_krb5(8)						   System Administrator's Manual					       pam_krb5(8)

NAME

       pam_krb5 - Kerberos 5 authentication

SYNOPSIS

       auth required /lib/security/pam_krb5.so
       session optional /lib/security/pam_krb5.so
       account sufficient /lib/security/pam_krb5.so
       password sufficient /lib/security/pam_krb5.so

DESCRIPTION

       pam_krb5.so  is	designed to allow smooth integration of Kerberos 5 password- checking with applications built using PAM.  It also supports
       session-specific ticket files (which are neater), and Kerberos IV ticket file grabbing.	Its main use is as an authentication  module,  but
       it  also  supplies  the	same functions as a session-management module to better support poorly-written applications, and a couple of other
       workarounds as well.  It also supports account management and password-changing.

       When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Kerberos  5  and  Ker-
       beros  IV  credentials,	caching them for later use.  When the application requests initialization of credentials (or opens a session), the
       usual ticket files are created.	When the application subsequently requests deletion of credentials or closing of the session,  the  module
       deletes the ticket files.

ARGUMENTS

       debug  turns on debugging via syslog(3).  Debugging messages are logged with priority LOG_DEBUG.

       addressless
	      tells pam_krb5.so to obtain credentials without address lists.  This may be necessary if your network uses NAT, and should otherwise
	      not be used.

       hosts=host
	      tells pam_krb5.so to obtain credentials using the address of the given host in addition to the addresses of interfaces on the  local
	      workstation.   For  example, if your workstation is behind a masquerading firewall, specifying the firewall's outward-facing address
	      here should allow Kerberos authentication to succeed.

       banner=Kerberos
	    tells pam_krb5.so how to identify itself when users attempt to change their passwords.

       ccache_dir=/tmp
	    tells pam_krb5.so which directory to use for storing credential caches.

       forwardable
	    tells pam_krb5.so that credentials it obtains should be forwardable.

       keytab=/etc/krb5.keytab
	    tells pam_krb5.so the location of a keytab to use when validating credentials obtained from KDCs.

       krb4_convert
	    tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials.

       minimum_uid=0
	    tells pam_krb5.so to ignore authentication attempts by users with UIDs below the specified number.

       no_user_check
	    tells pam_krb5.so to not check if a user exists on the local system, and to create ccache files owned by the  current  process's  UID.
	    This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may
	    not have local access.  Note that such a server should have an encrypted connection with its client in order  to  avoid  allowing  the
	    user's password to be eavesdropped.

       proxiable
	    tells pam_krb5.so that credentials it obtains should be proxiable.

       realm=realm
	    overrides the default realm set in /etc/krb5.conf, which pam_krb5.so will attempt to authenticate users to.

       renew_lifetime=36000
	    sets the default renewable lifetime for credentials.

       skip_first_pass
	    tells  pam_krb5.so	to  not  bother  checking  a  password	that has been set by a module listed earlier in the stack.  This option is
	    included mainly for completeness.

       ticket_lifetime=36000
	    sets the default lifetime for credentials.

       try_first_pass
	    tells pam_krb5.so to check the password as with use_first_pass, but to prompt the user for another one if the  previously-entered  one
	    fails. This is the default mode of operation.

       use_first_pass
	    tells  pam_krb5.so	to  get  the user's entered password as it was stored by a module listed earlier in the stack, usually pam_unix or
	    pam_pwdb, instead of prompting the user for it.

       use_authtok
	    tells pam_krb5.so to never prompt for passwords when changing passwords.  This is useful if you are using pam_cracklib.so  to  try	to
	    enforce use of less-easy-to-guess passwords.

       validate
	    tells pam_krb5.so to verify that the TGT obtained from the realm's servers has not been spoofed.

FILES

       /etc/krb5.conf

SEE ALSO

       pam_krb5(5)

BUGS

       Probably, but let's hope not.  If you find any, please email the author.

AUTHOR

       Nalin Dahyabhai <nalin@redhat.com>

Red Hat Linux							    2002/02/15							       pam_krb5(8)