[30833] in Kerberos
RE: Authenticating using lower case domain/realm
daemon@ATHENA.MIT.EDU (Tim Alsop)
Mon Mar 9 08:09:03 2009
From: Tim Alsop <Tim.Alsop@CyberSafe.com>
To: San tos <sansancasd@gmail.com>
Date: Mon, 9 Mar 2009 12:07:29 +0000
Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
In-Reply-To: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
San,
You need an implementation of Kerberos, which has support for UPN authentication (using nt-enterprise principal names) and the canonical flag, as well as client side realm referrals. I guess the implementation of Kerberos on Ubuntu does not have these extensions coded.
I represent a vendor who develops and sells a commercial implementation of Kerberos, and our product works as you expect - see below:
talsop@perky:~> kinit talsop
Password for talsop@DEV.LOCAL:
talsop@perky:~> klist
Cache Type: Kerberos V5 Credentials Cache
Cache File: /krb5/tmp/cc/krb5cc_1000
Cache Version: 0502
Default Principal: talsop@DEV.LOCAL
Valid From Expires Service Principal
---------------------------- ---------------------------- -----------------
Mon 09 Mar 2009 12:06:03 GMT Mon 09 Mar 2009 20:06:23 GMT krbtgt/DEV.LOCAL@DEV.LOCAL
talsop@perky:~> kinit talsop@dev.local
Password for talsop\@dev.local@DEV.LOCAL:
talsop@perky:~> klist
Cache Type: Kerberos V5 Credentials Cache
Cache File: /krb5/tmp/cc/krb5cc_1000
Cache Version: 0502
Default Principal: talsop@DEV.LOCAL
Valid From Expires Service Principal
---------------------------- ---------------------------- -----------------
Mon 09 Mar 2009 12:06:16 GMT Mon 09 Mar 2009 20:06:35 GMT krbtgt/DEV.LOCAL@DEV.LOCAL
talsop@perky:~>
Thanks,
Tim
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of San tos
Sent: 09 March 2009 11:49
To: kerberos@mit.edu
Subject: Authenticating using lower case domain/realm
Hello to all.
I have successfully configured ubuntu machines to authenticate to a active
directory running windows 2k (pam_krb5/LDAP/Kerberos). The realm is
DOMAIN.COM, however in order to be user friendly and maintain the same login
address in everything, i need to authenticate using user@domain.com instead
of user@DOMAIN.COM.
It seems windows 2k, accepts either way, but maybe kerberos don't like the
response it receives:
kinit(v5): KDC reply did not match expectations while getting initial
credentials
I'm using ubuntu 8.10 and:
krb5-config 1.19 Configuration files for Kerberos Version 5
krb5-user 1.6.dfsg.4~beta1-3 Basic programs to authenticate using MIT Ker
libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries
The krb5.conf:
[libdefaults]
default_realm = DOMAIN.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# dns_lookup_realm = true
# dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
kdc = dc.domain.com
admin_server = dc.domain.com
default_domain = DOMAIN.COM
}
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
I have googled, read the mans, tried a lot of other configurations, etc, for
days now, but can't figure it out. I will appreciate any input you got on
this.
Thanks in advance for you replies.
Santos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
