[30847] in Kerberos
Re: Authenticating using lower case domain/realm
daemon@ATHENA.MIT.EDU (Santos)
Tue Mar 10 06:31:35 2009
MIME-Version: 1.0
In-Reply-To: <DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
Date: Tue, 10 Mar 2009 10:30:02 +0000
Message-ID: <d2912e600903100330o419d25dfk97fc2eaae77dfd26@mail.gmail.com>
From: Santos <sansancasd@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Oh, just compiled 1.7 alpha and indeed kinit worked great with nt-enterprise
(just used the -E flag). I was trying to find the krb5.conf setting that
enabled the enterprise name for all krb apps.
But even if i do find it, you say it's useless because pam_krb5 won't use
it? Ahh what a disappointment..
On Mon, Mar 9, 2009 at 9:51 PM, Luke Howard <lukeh@padl.com> wrote:
>
> On 10/03/2009, at 3:17 AM, Santos wrote:
>
> On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh@padl.com> wrote:
>>>
>>> MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>>>> principal name) options to kinit, which may help.
>>>>
>>>
>>>
>>>
>> Actualy my main priority is to use pam_krb5.
>>
>> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to use
>> those flags? Does the krb5.conf file have any settings to enable those
>> settings as default?
>>
>
> It doesn't but you should be able to easily modify pam_krb5 to call
> krb5_get_init_creds_opt_set_canonicalize(), and to call
> krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than
> krb5_parse_name(). Of course, this should be made configurable.
>
> -- Luke
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
