What I desire to do should be pretty simple.

I have an Ubuntu 10.04 box. It's currently configured to authenticate users against a kerberos realm (EXAMPLE.ORG). There is only one realm in the krb5.conf file and it is the default realm.

[libdefaults]
    default_realm = EXAMPLE.ORG

PAM is configured to use the pam_krb5 module, so if a user account is created on the local machine, and that username matches the [email protected] credential, that user may log in by supplying his kerberos password.

What I would like to do instead is create a local user account with a different username, but have it always authenticate against the canonical name in the kerberos server.

For example, the kerberos principal is [email protected]. I would like to create the local account preferred.name and somehow configure kerberos that when someone attempts to log in as preferred.name, it uses the principal [email protected].

I have tried using the auth_to_local_names in krb5.conf, but this doesn't seem to do the trick.

[realms]
    EXAMPLE.ORG = {
            auth_to_local_names = {
                    full.name = preferred.name
            }

I have tried adding [email protected] to ~preferred.name/.k5login.

In all cases, when I attempt to log in as preferred.name@host and enter the password for full.name, I get Access denied.

I even tried using auth_to_local in krb5.conf, but I couldn't get the syntax right.

Is it possible to have a (distinct) local username that for all purposes behaves exactly like a matching username does? If so, how is this done?