[29631] in Kerberos
Re: Alternative UPN on Windows
daemon@ATHENA.MIT.EDU (Markus Moeller)
Thu Apr 3 17:07:27 2008
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Thu, 3 Apr 2008 22:04:32 +0100
Message-ID: <ft3gr4$evh$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <7e585f66-d89c-409d-a55d-0fbe23268c1d@s37g2000prg.googlegroups.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Speedo" <speedogoo@gmail.com> wrote in message
news:7e585f66-d89c-409d-a55d-0fbe23268c1d@s37g2000prg.googlegroups.com...
> Hi All
>
> On Windows, there's something called alternative UPN that you can
> create user@this.realm in that.realm. Here's a very nice explanation:
> http://www.netometer.com/video/tutorials/upn/step1/step1.html
>
> I've looked at the packets, it works like this:
>
> Suppose in realm REAL.COM there's a user x which also has an
> alternative UPN called y@fake.com. If the user logon with x, the
> principal name sent in AS-REQ is (x, NT-PRINCIPAL). If logon with
> y@fake.com, it's (y@fake.com, NT-ENTERPRISE). In both cases, the
> server replies with a TGT successfully.
>
> My question is: Is there any third party software supporting this
> feature?
>
> 1. For kinit, how do I specify the name type?
You need to modify the source. See patch below for krb5-1.6.1. You can
either do kinit -e y@fake.com or kinit y@fake.com@REAL.COM
--- kinit.c 2008-04-03 20:47:02.000000000 +0100
+++ kinit-new.c 2008-04-03 20:46:38.000000000 +0100
@@ -136,6 +136,7 @@
int no_addresses;
int verbose;
+ int enterprise;
char* principal_name;
char* service_name;
@@ -254,6 +255,7 @@
(default_k5 && default_k4)?" and ":"",
default_k4?"Kerberos 4":"",
(!default_k5 && !default_k4)?"neither":"");
+ ULINE("\t", "-e enterprise tyep", OPTTYPE_KRB5);
ULINE("\t", "-V verbose", OPTTYPE_EITHER);
ULINE("\t", "-l lifetime", OPTTYPE_EITHER);
ULINE("\t", "-s start time", OPTTYPE_KRB5);
@@ -331,12 +333,15 @@
int use_k5 = 0;
int i;
- while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:"))
+ while ((i = GETOPT(argc, argv, "r:efpFP54aAVl:s:c:kt:RS:vX:"))
!= -1) {
switch (i) {
case 'V':
opts->verbose = 1;
break;
+ case 'e':
+ opts->enterprise = 1;
+ break;
case 'l':
/* Lifetime */
code = krb5_string_to_deltat(optarg, &opts->lifetime);
@@ -571,12 +576,41 @@
if (opts->principal_name)
{
- /* Use specified name */
- if ((code = krb5_parse_name(k5->ctx, opts->principal_name,
- &k5->me))) {
- com_err(progname, code, "when parsing name %s",
- opts->principal_name);
- return 0;
+ char *realm = NULL;
+
+ realm = strchr(opts->principal_name,'@');
+ if ( realm && strchr(++realm,'@') || opts->enterprise ){
+/*
+ * email address as principal name
+ */
+ char* enterprisename;
+ char* p;
+
+ enterprisename=malloc(strlen(opts->principal_name)+2);
+ strcpy(enterprisename,opts->principal_name);
+ p=strchr(enterprisename,'@');
+ *p='\\';
+ *p++='\\';
+ *p++='\0';
+ strcat(enterprisename,strchr(opts->principal_name,'@'));
+ if ((code = krb5_parse_name(k5->ctx, enterprisename, &k5->me)))
{
+ com_err(progname, code, "when parsing name %s",
enterprisename);
+ if (enterprisename)
+ free(enterprisename);
+ return(0);
+ }
+ if (enterprisename)
+ free(enterprisename);
+/* HEIMDAL kprincipal->name.name_type=10; */
+ k5->me->type=10;
+ } else {
+ /* Use specified name */
+ if ((code = krb5_parse_name(k5->ctx, opts->principal_name,
+ &k5->me))) {
+ com_err(progname, code, "when parsing name %s",
+ opts->principal_name);
+ return 0;
+ }
}
}
else
> 2. Using GSS, how do I create a GSS name?
I assume you mean the service principal here. This can not be changed.
>
> Thanks
> Speedo
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
