As best we’ve been able to tell (refer to reader Ian’s comments on the Solaris-AD integration and Linux-AD integration articles about changing the login name for Kerberos), it can’t be done. LDAP can be changed, but Kerberos cannot.

If you find a workaround, I’d love to hear about it!

Thanks for reading!

I have implemented kerberos together with ldaps - loging from linux to Microsoft AD.

Question: How can i ponit for kerberos to allow login with unix account ( uid) instead of sammaccountname? We dont want to login with example “john.exmaple” (SAMACC) but with “jexample” (UID). Thanx

Yes, of course–that makes perfect sense that sAMAccountName wouldn’t be used, since that is a strictly Microsoft sort of thing. Now that I think about it, I would strongly imagine that they are using uid for the logon attribute, since that seems to be the default for most Unix-like operating systems.

Thanks for the updated information!

In the schema there is a supplemental entry for POSIX account information and it references the uidNumber entry
( nisSchema.2.0 NAME ’posixAccount’ SUP top AUXILIARY
DESC ’Abstraction of an account with POSIX attributes’
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )

Since there is no mention of AD specific entries like sAMAccountName in the NIS Schema I would have to believe it is the uidNumber. And if you do any of the user related queries from with Solaris to an AD LDAP server like getent passwd username it returns the same info as the old ypcat commands did against NIS specifically the uid number.

Hope that helps,
Dale

(a copy paste from the live file)

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
pam_groupdn cn=DELPHI,ou=Groups,ou=People,dc=longwood,dc=edu

# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute member

I take myself out of the DELPHI group, yet it lets me login fine via ssh. In a LDAP-only environment, we have this working on other machines. But on my test box with Kerberos it lets anybody on.

Blake

I have had some luck controlling this by editing /etc/pam.d/sshd and /etc/security/access.conf as describted at http://www.cyberciti.biz/tips/openssh-root-user-account-restriction-revisited.html. This seems to work for sshd and local logins. However I’d like to use the ldap.conf to control this exclusively is possible - one fewer thing to think about.

Blake

You’re on the right track; you should be able to use pam_groupdn and pam_member_attribute to do exactly what you’re describing, even with Kerberos authentication. (Keep in mind when I say “Kerberos authentication,” I mean the use of pam_krb5 to provide Kerberos authentication against Active Directory, not GSSAPI authentication using Kerberos.)

I know this is a stupid question, but the pam_groupdn and pam_member_attribute lines aren’t commented out (#) in the production /etc/ldap.conf file, are they?

I have the Kerberos working - but I seem to have lost a piece of functionaliry. In the straight LDAP auth, I have the following lines in ldap.conf:

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember

This allows us to control who can log onto which host by Windows group. (we have one group for each host). This doesn’t seem to work with the Kerberos/LDAP solution. Is there any way I can control this in a similar fashion? I have spent some time looking into pam_access, which seems to mention group membership. But I haven’t been able to make it work.

Blake