[37159] in Kerberos
Re: kinit: Mapping a local username to a Kerberos principal?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jul 17 12:14:45 2015
Message-ID: <55A929D8.60000@mit.edu>
Date: Fri, 17 Jul 2015 12:14:16 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Lars Kellogg-Stedman <lars@oddbit.com>, kerberos@mit.edu
In-Reply-To: <loom.20150716T234216-214@post.gmane.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/16/2015 05:46 PM, Lars Kellogg-Stedman wrote:
> Is it possible to configure my local Kerberos environment such that when I
> type 'kinit' with no additional parameters, it will use something other than
> '<my_local_username>@<default_kerberos_domain>'?
No, we don't have a configurable mapping from local name to Kerberos
principals. If we did, every tool which gets initial tickets (not just
kinit) would need to be modified to use it.
At least some versions of pam_krb5 have some mapping options. See the
alt_auth_map and search_k5login options here:
http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
> My username on my local workstation differs from my organizational Kerberos
> principal name. I'm currently using an explicit 'kinit
> myprincipal@CORP.COM', but this doesn't integrate well with system tools
> that might otherwise enable me to automatically acquire a token on login and
> take care of renewing it for me.
>
> The documentation for both 'auth_local_names' and 'k5identity' seemed
> promising, but neither appears to do what I want.
Right. aname-to-lname goes in the other direction, and k5identity is
about picking which of several Kerberos principals to use.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
